Answer (1)

You are probably missing parse_syslog() but it is hard to tell without seing the actual config.

If the $Message field is not present - which is populated by parse_syslog() - then to_syslog_bsd() will use $raw_event. I assume this is why a new header is added.