Hi @yaauie
for what i can test (at the moment the ELK cluster is still not on production) "..anchoring the pattern to the beginning of the string..." works good and improve the performances. 
Regarding the pipeline I´m still testing different rsyslog formats but using the basic approach ( sample configuration ) I´m still receiving messages with wrong severity/facility.
I´ve tested all the standard rsyslog templates on rsyslog forwarding rule with the result to win a "_grokparsefailure" when I use a different log format 
# RSYSLOG_TraditionalFileFormat - the "old style" default log file format with low-precision timestamps
# RSYSLOG_FileFormat - a modern-style logfile format similar to TraditionalFileFormat,
# buth with high-precision timestamps and timezone information
# RSYSLOG_TraditionalForwardFormat - the traditional forwarding format with low-precision timestamps.
# Most useful if you send messages to other syslogd's or rsyslogd below version 3.12.5.
# RSYSLOG_ForwardFormat - a new high-precision forwarding format very similar to the traditional one, but with
# high-precision timestamps and timezone information. Recommended to be used when sending
# messages to rsyslog 3.12.5 or above.
# RSYSLOG_SyslogProtocol23Format - the format specified in IETF's internet-draft ietf-syslog-protocol-23, which is assumed
# to be come the new syslog standard RFC. This format includes several improvements.
# The rsyslog message parser understands this format, so you can use it together with all
# relatively recent versions of rsyslog. Other syslogd's may get hopelessly confused if
# receiving that format, so check before you use it. Note that the format is unlikely to
# change when the final RFC comes out, but this may happen.
... to be continued ....