Keep getting _jsonparsefailures

I am still relatively new to logstash, so I have been trying to run through a bit of a crash course in using it and getting logs to filter correctly. I finally have logs hitting like they should, but I cannot for the life of me figure out how to fix this error, which is in my sampleFile. My conf looks like this:

input {
  tcp {
    port => 9200
    codec => plain
  }
}

filter {
  mutate {
    gsub => [
      "message", "^.* - ", ""
    ]
  }
  json {
    source => "message"
  }
}

output {
  microsoft-sentinel-log-analytics-logstash-output-plugin {
    create_sample_file => true
    sample_file_path => "/tmp/logstash/phisher"
  }
}

And, here is what one of the logs comes through as on the sample file:

  {
    "tags": [
      "_jsonparsefailure"
    ],
    "message": "604 <118>1 - phisher.knowbe4.com PhishER - - - {\"receivedAt\":\"2024-09-23T11:39:26.772199Z\",\"reportedAt\":\"2024-09-23T11:39:17Z\",\"sender\":\"redacted@redacted.com\",\"reporter\":\"redacted@redacted.com\",\"subject\":\"You're Order Has Shipped!  - Order Number\",\"priority\":\"critical\",\"category\":\"threat\",\"status\":\"resolved\",\"tags\":[\"LA_CLOSE_TICKET_SUCCESS\",\"MANUAL_RESOLVED\",\"LA_OPEN_TICKET_SUCCESS\",\"MANUAL\",\"VT_SCANNED\",\"KB4:SHIPPING\",\"KB4:SPF_PASS\",\"KB4:DKIM_PASS\",\"KB4:BILLING\",\"USER:THREAT\"],\"action\":\"Syslog\",\"permalink\":\"https://phisher.knowbe4.com/inbox/3redacted75\"}",
    "ls_timestamp": "2024-09-24T02:59:48.370952470Z",
    "ls_version": "1"
  },

I have a hunch that this section is breaking things:
604 <118>1 - phisher.knowbe4.com PhishER - - -
due to the <118>, so I tried to get the message to split this out, and I have tried some other filtering.

Really, I just want the data that starts at "receivedAt" to be the only thing coming through in the message, so fields of receivedAt, reportedAt, sender, reporter, subject, priority, category, status, tags, action, permalink - all parsed as normal JSON, instead of one long line of data.

It's hard to believe that you are actually running that configuration, since it would modify the [message] field and remove everything up to " Order Number" (there is a - embedded in the subject field of the JSON).

You could try

 mutate { gsub => [ "message", "^.*{", "{" ] }