In AbstractEventUtil, there's a bit of code that checks for whitespace in a potential replacement parameter. Unfortunately, the regex used does not enable the DOTALL flag, so if you've got something like a Cisco syslog message that often contains '%' signs in them it'll find something like
as a potential param. Clearly this isn't meant to be a parameter. Changing the regex to DOTALL mode seems to fix this.