at first - you can configure your Brighmail to use syslog server: http://www.symantec.com/business/support/index?page=content&id=TECH93637
Then you can try to use Auto learn mode to find, if the ESM can recognize the brightmail's logs - I guess that events can be recognized as something like Unix\Linux.
And next - if the results won't be satisfied, you can wrote own parser rules in the policy editor.
You can also create a new PER on the following webpage: https://mcafee.acceptondemand.com - remenber about the log examples, that should be attached to the PER.
ACtually I am a bit suprised to see that Mcafee SIEM doesn't have a normalization rules written for it since this product is around for a long term. I wonder if there is a specific reason for that. BTW at http://www.symantec.com/business/support/index?page=content&id=DOC5740&key=53991 &actp=LIST there is a pdf that contains all definitons for brightmail syslog. But of course we need a PER for that