The way I'm understanding the issue is the data is coming inbound to the ERC, which could be verified by tcpdump, but the data isn't making it to the ESM.
As an alternate potential parsing issue from the comment above - I would also suggest making sure data isn't stuck in the folder waiting to be picked up and parsed by the receivers. I've run into issues in the past where the data is coming in, but is just sitting in the folder allocated to the data source after altering a rule.
All you need to do to check the folder under "/var/log/data/inline/thirdparty.logs/###/" in a receiver where ### is the VIPS ID assigned to the data source. Go down the file hierarchy from here and look into the "in" folder. If a bunch of files starting with "data" followed by numbers, you may need to roll out a policy update on the receivers to get them moving.
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.
Community Help Hub
New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.