I don't know how specific the actual requirements are (I doubt SOX is very specific). Some systems produce binary logs (e.g. Windows, Checkpoint), so "raw message" is not always as cut-and-dried as it seems. Most syslog and SNMP raw messages closely (exactly?) resemble the original message. Anything that is not syslog/snmp is more suspect. Checkpoints are better, but still not the same as what I see using the Checkpoint tools for example. The Cisco IPS devices now show up as XML and perhaps mirror exactly what was returned from the sensor. You'd want to carefully test everything device you anticipate reporting into MARS.