I am wondering how syslog-ng validates that the header is in the correct format (pri, timestamp, hostname). Does it use regular expressions for this purpose?
no, it uses a handwritten parser for this purpose. it's in the syslogformat plugin in 3.3 and was in logmsg.c earlier.