Can't add multiple categories, but this involves APM as well.
Logs flow apm-agent-java -> stdout -> journald -> rsyslog -> logstash -> elasticsearch.
At the end I end up with a document like this
{
"message": "{\"@version\":\"1\",\"@timestamp\":\"2019-04-01T15:55:28.060841+00:00\",\"type\":\"rsyslog\",\"message\":\"2019-04-01 15:55:28.059 [apm-reporter] INFO co.elastic.apm.agent.report.IntakeV2ReportingEventHandler - Backing off for 0 seconds (\xB110%)\",\"hostname\":\"my-host\",\"severity\":\"info\",\"facility\":\"daemon\",\"programname\":\"java\",\"procid\":\"29369\",\"msgid\":\"-\"}\n",
"tags": ["_jsonparsefailure"]
}
I assumed it was the \xB1 but have been unable to reproduce using syslog directly: both logger '\xB1' and logger '±' end up with correctly-encoded JSON sent to logstash. Perhaps I need to set something in the process that the APM agent is instrumenting?