That’s what I do, but it is annoying, wastes energy and still allows hacks to go through.
Imagine somebody tries to log in as Hello" message=none". KV parser built into syslog input will happily destroy the original message field. Extractors or pipelines can’t fix that.
PS: You forget about Running key=value tokenizer extractor from Pipelines (now possible in v4.3). Graylog v4.3 pipelines have key_value that could parses the whole thing correctly. But that works only if message survives the built-in non-optional parsing in the syslog input.