Yes, exactly. Thanks!
This looks like a very strange syslog format. It’s neither compatible with RFC 3164, nor with RFC 5424. It includes a structured data element but it doesn’t contain a syslog version.
And the colon after the PRI field looks like the client omitted the (proprietary) Cisco sequence number.
As things are, I would recommend staying with the Raw/Plaintext input or use the
full_message field created by the Syslog input and use extractors or pipeline rules to extract/override the desired information from these messages.