My manager wants me to set this up via syslog as it should be supported. I tried implementing the header but got nothing. When I talked to McAfee support, they said the header is not what determines the values of the log line. They said we would have to configure a rule to create the proper log line.
We tried to figure out what some of the values were supposed to be but the tech got confused by what the documentation meant by event, or server name/server IP. Support mentioned that they had a CEF format but was not sure if that would work or not. Figured I would check to see if anyone has been successful at setting this up in their environments.
We have been having issues with MWG and SA as well. Worked OK in Envision (file reader), and Z connector, however same format sent via syslog does not parse. device.type='unknown'
I have managed to follow the docs to get a mwg log format to parse ok when sent via syslog, however it is missing a ton of meta data. Things like alias.host, block codes, URI, user agent are all truncated and useless or missing. this is valuable metadata.
msg me if you want at least something at works barebones with syslog.