diff --git a/scripts/base/frameworks/logging/main.bro b/scripts/base/frameworks/logging/main.bro
index c29215fd86..aa44547567 100644
--- a/scripts/base/frameworks/logging/main.bro
+++ b/scripts/base/frameworks/logging/main.bro
@@ -327,6 +327,11 @@ export {
 	##    Log::default_rotation_postprocessor_cmd
 	##    Log::default_rotation_postprocessors
 	global run_rotation_postprocessor_cmd: function(info: RotationInfo, npath: string) : bool;
+
+	## The streams which are currently active and not disabled.
+	## This set is not meant to be modified by users!  Only use it for
+	## examining which streams are active.
+	global active_streams: set[ID] = set();
 }
 
 # We keep a script-level copy of all filters so that we can manipulate them.
@@ -412,11 +417,15 @@ function create_stream(id: ID, stream: Stream) : bool
 	if ( ! __create_stream(id, stream) )
 		return F;
 
+	add active_streams[id];
+
 	return add_default_filter(id);
 	}
 
 function disable_stream(id: ID) : bool
 	{
+	delete active_streams[id];
+	
 	return __disable_stream(id);
 	}
 
diff --git a/scripts/policy/tuning/logs-to-elasticsearch.bro b/scripts/policy/tuning/logs-to-elasticsearch.bro
index b4d16a19a1..44fc3800b8 100644
--- a/scripts/policy/tuning/logs-to-elasticsearch.bro
+++ b/scripts/policy/tuning/logs-to-elasticsearch.bro
@@ -4,7 +4,7 @@ module LogElasticSearch;
 
 export {
 	## An elasticsearch specific rotation interval.
-	const rotation_interval = 24hr &redef;
+	const rotation_interval = 3hr &redef;
 
 	## Optionally ignore any :bro:type:`Log::ID` from being sent to
 	## ElasticSearch with this script.
@@ -17,29 +17,17 @@ export {
 	const send_logs: set[string] = set() &redef;
 }
 
-module Log;
-
 event bro_init() &priority=-5
 	{
-	local my_filters: table[ID, string] of Filter = table();
-
-	for ( [id, name] in filters )
+	for ( stream_id in Log::active_streams )
 		{
-		local filter = filters[id, name];
-		if ( fmt("%s", id) in LogElasticSearch::excluded_log_ids ||
-		     (|LogElasticSearch::send_logs| > 0 && fmt("%s", id) !in LogElasticSearch::send_logs) )
+		if ( fmt("%s", stream_id) in excluded_log_ids ||
+		     (|send_logs| > 0 && fmt("%s", stream_id) !in send_logs) )
 			next;
 
-		filter$name = cat(name, "-es");
-		filter$writer = Log::WRITER_ELASTICSEARCH;
-		filter$interv = LogElasticSearch::rotation_interval;
-		my_filters[id, name] = filter;
-		}
-
-	# This had to be done separately to avoid an ever growing filters list
-	# where the for loop would never end.
-	for ( [id, name] in my_filters )
-		{
-		Log::add_filter(id, filter);
+		local filter: Log::Filter = [$name = "default-es",
+		                             $writer = Log::WRITER_ELASTICSEARCH,
+		                             $interv = LogElasticSearch::rotation_interval];
+		Log::add_filter(stream_id, filter);
 		}
 	}