Vmware vpxa events sourcetyped as thales:vormetric

[rucete]

What is the sc4s version ?
3.33.1

Which operating system (including its version) are you using for hosting SC4S?
Ubuntu 22.04.4 LTS Jammy Jellyfish

Which runtime (Docker, Podman, Docker Swarm, BYOE, MicroK8s) are you using for SC4S?
Docker Engine 26.1.3

Is there a pcap available? If so, would you prefer to attach it to this issue or send it to Splunk support?

I don't have a pcap but I'm attaching _raw events as shown in splunk after indexing.

Is the issue related to the environment of the customer or Software related issue?

It's a parsing error.

Last chance index/Fallback index?

Events end in lastchanceindex because they are not sourcetyped correctly and there's not an index defined for the missinterpreted sourcetype.

Is the issue related to local customization?
No

Do we have all the default indexes created?
No

Describe the bug
We have been ingesting vmware logs for more than a week now, on default port UDP 514. Our env_file is pretty standard:

# vmWare integration config
SC4S_USE_NAME_CACHE=yes
SC4S_SOURCE_VMWARE_VSPHERE_GROUPMSG=yes

# This line IS commented
#SC4S_USE_VPS_CACHE=yes

Some of those logs (around 40k events/hour) match the rule program( "vpxa" ... defined in the vmware_vsphere parser. The last week, we had 7 events that clearly belong to vpxa falling to lastchanceindex under the sourcetype thales:vormetric.

To Reproduce
We're including a sample of the mismatched events (sourcetype thales:vormetric) and the correctly ingested events (sourcetype vmware:esxlog:vpxa).

mismatched-thales_vormetric.txt
correct-vmware_esxlog.txt

No big differences so far, but there was a mismatch.