The way I'm understanding the issue is the data is coming inbound to the ERC, which could be verified by tcpdump, but the data isn't making it to the ESM.
As an alternate potential parsing issue from the comment above - I would also suggest making sure data isn't stuck in the folder waiting to be picked up and parsed by the receivers. I've run into issues in the past where the data is coming in, but is just sitting in the folder allocated to the data source after altering a rule.
All you need to do to check the folder under "/var/log/data/inline/thirdparty.logs/###/" in a receiver where ### is the VIPS ID assigned to the data source. Go down the file hierarchy from here and look into the "in" folder. If a bunch of files starting with "data" followed by numbers, you may need to roll out a policy update on the receivers to get them moving.