You need to add the IP Address of the device sending you the Syslog's to your Data Source configuration.
If your switch is configured to use AAA through an ACS Server, most of the data about what happens on the switch will be logged through that device.
Typically we get between 500-1000 events per day from all of our Cisco IOS devices, with a few spikes up in to 2-3,000 range - the majority of the events are unknown.
Thanks rth67 appreciate your response. We were trying to get away from using an actual device (IP) as our parent data source. Our IP is defined on the client and we have received logs with this configuration in the past and this configuration currently works for other data sources. We also have ACS logs coming in but in order to achieve compliance we really need authentication successes and failures to log directly from the device.
Just to provide an update we are seeing this issue with multiple data sources now. I have tried as suggested above and created a parent data source with no children and we're still experiencing the issue (tcpdump, reviewed the in, same results). I have a case opened so hoping support will help us in resolving the issue.