The Vormetric app includes the definitions for rfc5424_syslog so no other apps are required.
There is a test for valid rfc5424 format in the default/transforms.conf installed with the app, which looks like this:
[test_for_syslog]
REGEX = ^<\d+>[^1]
FORMAT = sourcetype::syslog
DEST_KEY = MetaData:Sourcetype
What this does is validate the syslog header against the definition, which you can see here:
http://tools.ietf.org/html/rfc5424
If the header doesn't match, this rule changes the format back to plain syslog, which may be what you are seeing.
How did you genenerate the RFC5424 format? Have you selected it in the server or agent log setup?
... View more