My colleague is having trouble with parsing aswell. We have an application running on a Windows box sending it's logs in the same syslog stream as snare.
He ran a sendunknown_messages and used the unx file in esi to parse the logs. yet again, esi parsing fine, but enVision doesn't seem to parse. The device was also typed as a multidevice, so he made a new event source but that didn't help aswell. Again, the ese scheme is the same as the enVision scheme, they have had the same ESU installed.
Are more people experiencing these issues and could you check what's wrong?