You can take a look at this app and its documentation to see if that would help you meet your needs. It's a search-based approach to forward data via SYSLOG specifically built for 3rd-party SIEM integrations.
That aside: If you followed the documentation here and it didn't work for you, can you explain what issue you were experiencing? Maybe we can collectively get you on the right track.
We are now seeing traffic leave our Indexers when monitoring the interface via tcpdump . However RSA is not able to parse the data, even though the field mappings appear correct and in line with CEF standards template.
We suspect this may be because there is no priority value at the beginning of these events (which RSA needs apparently
From what I can see, the Splunk app for CEF configures the output.conf to use tcpout as the processor (instead of syslog). Could you confirm if this is correct and if so, would it be possible to change this to syslog?
Would really appreciate any help and support you can provide in this matter@ssievert