You have three choices.
There is an ArcSight SmartConnector for MWG. Theoretically, that would handle the default access.log format that ships with the product.
You could send whatever to ArcSight and then use a script on your logging collector to manipulate the data into CEF format.
You could build your CEF line in the MWG log handler.
If you google for arcsight common event format that will bring back a bunch of links, including the ArcSight guide to CEF and how to format log lines.
That is 100% correct. But I can help a bit more.
The smart connector was created for MWG 6, and last I saw on the arcsight site they hadn't updated the instructions. You could easily make MWG7 produce that format. If you want to use the connector and punch the raw logs over, that is the way to go.
However, if you want to do syslog and get realtime data, you need to go CEF and syslog.
Buyer beware, I would test on a non production setup first, and keep in mind this is extremely chatty. If you generate 500 req/s, that's 500 events/s.
I have a CEF format previously, see link with instructions. You can modify to taste, depending on the arcsight admin I have seen directionality become a discussion point.
Do not use the arcsight connector!
It messes with the MWG's ability to rotate and delete its logs!
Syslog is the cleanest, easiest, and most supported route to go.
I would prefer to not send over the user-defined access logs sinse we are sending those to CSR, but I thought I saw someone write a rule to send the Web Gateway's audit log to a SIEM like Arcsight or Nitro.