I got this to work by just making a separate filter file for anything with the openvpn tag that was originally assigned. But I still get a grok failure even though the message field will correctly parse with the above grok pattern.
Still not sure why that is the case and any help/recommendations are welcome, thanks!