While trying to setup log collection using Rsyslog found the below Error  the logs when the syslog is converted to JSON. 

ERROR:

***********

[2025-08-01T12:14:11,631][WARN ][logstash.filters.json    ][main][xxxxxxxx] Error parsing json {:source=>"message", :raw=>"{\"syslog_timestamp\":\"2025-08-01T12:13:31.879098+04:00\",\"syslog_pri\":\"7\",\"syslog_ver\":\"1\",\"tenant_id\":\"<Tenant-id>\",\"syslog_message\":\"    HOME=\\\",\"host\":\"Spectrum\",\"syslog_severity\":\"debug\",\"syslog_facility\":\"kern\",\"syslog_severity_code\":\"7\",\"syslog_facility_code\":\"0\",\"syslog_program\":\"kernel\",\"syslog_pid\":\"-\",\"syslog_hostname\":\"Spectrum\",\"syslog_priority\":\"7\"}", :exception=>#<LogStash::Json::ParserError: Unexpected character ('h' (code 104)): was expecting comma to separate Object entries
 at [Source: REDACTED (`StreamReadFeature.INCLUDE_SOURCE_IN_LOCATION` disabled); line: 1, column: 173]>}

DX SAAS

Only one error after the restart of the log collector.  It seems the message has some backslashes(HOME=\\\) which is causing the issue. 

comment out the lines 234 and 235 in the logcollector.conf file and add the "message", '\\"', '\\\\"'  from below to fix the issue .

[logstash.filters.json    ][main][xxxxxxxx Error parsing json {:source=>"message", :raw=>"{\"syslog_timestamp\":\"2025-08-01T12:13:31.879098+04:00\",\"syslog_pri\":\"7\",\"syslog_ver\":\"1\",\"tenant_id\":\"<teanamt_id>\",\"syslog_message\":\"    HOME=\\\",\"host\":\"Spectrum\",\"syslog_severity\":\"debug\",\"syslog_facility\":\"kern\",\"syslog_severity_code\":\"7\",\"syslog_facility_code\":\"0\",\"syslog_program\":\"kernel\",\"syslog_pid\":\"-\",\"syslog_hostname\":\"Spectrum\",\"syslog_priority\":\"7\"}", :exception=>#<LogStash::Json::ParserError: Unexpected character ('h' (code 104)): was expecting comma to separate Object entries
at [Source: REDACTED (`StreamReadFeature.INCLUDE_SOURCE_IN_LOCATION` disabled); line: 1, column: 173]>}