Wrong.
The non-optional parsing inside of syslog input will overwrite $message.message
when it sees that input. When Extractors and Pipelines get a chance to run $message.message
will be equal to "none\"
. Try it.
Here is an input that triggers this fortigate key_value parsing inside of syslog input:
<185>date=2022-09-01 time=12:34:56 devname="Fortigate" timestamp=1234567890 user="Hello\" message=none " group="N/A"
I set this via netcat to a syslog TCP input and confirmed that this really overwrites $message.mesage
PS: This example uses newline framing for simplicity. Real messages are longer and length-prefixed.