When I echo your original message into logstash, I see a message on stdout that seems to have the right shape:
╭─{ yaauie@castrovel:~/src/elastic/discuss-scratch/126219-udp-codec }
╰─○ echo 'Mar 30 13:01:34 host su: pam_unix(su-l:session): session closed for user user' | "${LOGSTASH_5_4_1}/bin/logstash" -f pipeline.conf
Sending Logstash's logs to /Users/yaauie/src/elastic/releases/logstash-5.4.1/logs which is now configured via log4j2.properties
[2018-03-31T01:11:25,770][INFO ][logstash.pipeline ] Starting pipeline {"id"=>"main", "pipeline.workers"=>8, "pipeline.batch.size"=>125, "pipeline.batch.delay"=>5, "pipeline.max_inflight"=>1000}
[2018-03-31T01:11:25,784][INFO ][logstash.pipeline ] Pipeline main started
[2018-03-31T01:11:25,819][INFO ][logstash.agent ] Successfully started Logstash API endpoint {:port=>9600}
{
"@timestamp" => 2018-03-31T01:11:25.800Z,
"ori_message" => "<13> Mar 30 13:01:34 host su: pam_unix(su-l:session): session closed for user user",
"@version" => "1",
"host" => "castrovel.local",
"message" => "Mar 30 13:01:34 host su: pam_unix(su-l:session): session closed for user user"
}
[2018-03-31T01:11:28,800][WARN ][logstash.agent ] stopping pipeline {:id=>"main"}
[success (10.000s)]
And the netcat process that had been running gets a message that also seems appropriate, without injecting any additional content to the string:
╭─{ yaauie@castrovel:~ }
╰─○ nc -lvup 2115
Received packet from 127.0.0.1:65323 -> 127.0.0.1:2115 (local)
<13> Mar 30 13:01:34 host su: pam_unix(su-l:session): session closed for user user
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.