If you're using a recent version of Rsyslog, you can bypass the need for regular-expression/grok extraction of the raw syslog data with something like this: https://gist.github.com/untergeek/0373ee85a41d03ae1b78
The json output module for Rsyslog is awesome that way. 