Sorry, I missed this little note above:
After i change to stream mode then SIEM not received log from SRX.
But using Junos Space Log Collector no issue.
I would do a packet capture on the SIEM or the switch port span right before the SIEM to verify the log data is reaching the server. And I suspect there is either a host setup to accept the logs missing or a log format issue. Although most SIEM I've seen accept Structured Data syslog.
Another possibility is some kind of bug related to the SIEM and Junos version. So a quick search of the PR database for your SIEM vendor and Junos version could see if one exists already.