we still encounter problems with RFC5424 logs which include comments inside a structured data field. Those comments are encapsuled with quotes and therefore these quotes get escaped.
eventType="PAM:session_closed for acct=\"root\""
It may also be an issue that a second equal (=) sign appear, but I can't tell. This leads to the problem, that the whole structured data gets skipped and just unstructured data is parsed. I would assume that it produce an empty field, but it is not the case so there might be more incorrect interpretations.
Due to GDPR I can't attach the original logs, but escaping characters is a valid RFC5424 procedure which should be fixed in general.