@source.service:"LogSearchShipper giving _grokparsefailure-nxlog_standard errors

[mrdavidlaing]

{"message":"<13>1 2014-07-03T14:50:48.934199+01:00 LON-WS01186 - - - [NXLOG@14506 EventReceivedTime=\"2014-07-03 14:50:48\" SourceModuleName=\"file0\" SourceModuleType=\"im_file\" path=\"C:\\\\Dev\\\\temp\\\\Logs\\\\LogSearchShipper\\\\LogsearchShipper.log\" name=\"logsearch-shipper.NET\" module=\"nxlog\" type=\"json\" environment=\"QAT\" host=\"LON-WS01186\" service=\"LogSearchShipper\"] {\"@timestamp\":\"2014-07-03T13:50:37.505Z\",\"Message\":\"2014-07-03 14:50:37 ERROR [im_file.c:489/im_file_check_file()] apr_stat failed on file \\\\\\\\PKH-QAT-APP05\\\\Logs\\\\IIS\\\\Margin.cityindex.co.uk\\\\W3SVC1694659532\\\\*.log; The filename, directory name, or volume label syntax is incorrect.  \",\"logger\":\"nxlog.exe:\",\"level\":\"ERROR\"}\r","@version":"1","@timestamp":"2014-07-03T13:52:00.322Z","host":"54.76.27.169:29572","type":"syslog"}

seems to be triggering a _grokparsefailure-nxlog_standard and ending up with something like this:

{
    "@message": "<13>1 2014-07-03T16:36:03.510593+01:00 LON-WS01186 - - - [NXLOG@14506 EventReceivedTime=\"2014-07-03 16:36:03\" SourceModuleName=\"file0\" SourceModuleType=\"im_file\" path=\"C:\\\\Dev\\\\temp\\\\Logs\\\\LogSearchShipper\\\\LogsearchShipper.log\" name=\"logsearch-shipper.NET\" module=\"nxlog\" type=\"json\" environment=\"QAT\" host=\"LON-WS01186\" service=\"LogSearchShipper\"]",
    "syslog_pri": "13",
    "syslog5424_ver": 1,
    "syslog_program": "-",
    "syslog_message": "- - [NXLOG@14506 EventReceivedTime=\"2014-07-03 16:36:03\" SourceModuleName=\"file0\" SourceModuleType=\"im_file\" path=\"C:\\\\Dev\\\\temp\\\\Logs\\\\LogSearchShipper\\\\LogsearchShipper.log\" name=\"logsearch-shipper.NET\" module=\"nxlog\" type=\"json\" environment=\"QAT\" host=\"LON-WS01186\" service=\"LogSearchShipper\"]",
    "tags": [
      "syslog_standard",
      "_grokparsefailure-nxlog_standard"
    ],

Importantly, note how the actual JSON message seems to be getting lost