See #10 for more details, (closed because of very long inactivity) for more detailed error description you can see: elastic/logstash#1734

From the main issue:

I figured I'd report the logs we're seeing from the syslog input plugin that aren't being parsed properly. The vast majority are being parsed just fine, but there are three edge cases that aren't.

This one fails because "Server Administrator" has a space in it:

<30>2014-09-15T11:35:55.965491-05:00 hostname Server Administrator: Storage Service EventID: 2243 The Patrol Read has stopped.: Controller 0 (PERC H800 Adapter) 

This one fails because there's no message:

<4>2014-09-14T23:21:38.214167-05:00 hostname kernel:

This one fails because "run-parts(/etc/cron.hourly)" has parentheses in it. I've discussed this one with whack in the IRC channel, and he said this should be fixed in the next release, but I figured it should be documented:

<77>2014-09-15T06:01:01.687109-05:00 hostname run-parts(/etc/cron.hourly)[25969]: starting 0anacron