I have customer who ingests logs with CEF filebeat module. There is this field:"event.original:" and it does not index so it is not searchable.
They ingest barracuda logs in this way. But I have trouble on setting up barracuda module. It gives me this error when I enable module and run "sudo filebeat setup -e"
2022-03-15T15:32:39.986Z ERROR instance/beat.go:1015 Exiting: 1 error: error loading config file: invalid config: yaml: line 8: did not find expected key
Exiting: 1 error: error loading config file: invalid config: yaml: line 8: did not find expected key
It basically points to commented out row in barracuda.yml configration file
spamfirewall:
enabled: true
# Set which input to use between udp (default), tcp or file.>>> This row
var.input: udp
var.syslog_host: 0.0.0.0
var.syslog_port: 9524
Seems that I get tthis error just as I uncomment fields in barracuda.yml file.
Should they stay commented out? Asking for a friend 
Maybe I`m doing something wrong with this configuration? I have set up CEF module and it is good. As well as threatintel and works as well, but for some reason this is not working
UPDATE:
I have figured out that when uncommenting these lines it gives error just one line before last uncomment:
Exiting: 1 error: error loading config file: invalid config: yaml: line 8: did not find expected key
Maybe I`m doing something wrong with configuring this module?