2. Older events are showing up as new events in Splunk.

3. In Splunk, the eventTimestamp for all logs related to the concerned CP is not current but ~10 days ago. 

Aria Operations 8.18.x

There are cases where systemd will replay some events in the journal when the appliance is booted. Then the old log entries are sent to the syslog destination as current but with old timestamp.

This is not supported configuration as Broadcom does not support any modifications or customizations to the underlying operating system and packages included in a VMware-branded virtual appliance. Please see more details in VMware Virtual Appliances and customizations to operating system and included packages.

If users want to forward logs in a supported fashion, it's suggested that they should use the liagent which can also be configured to forward to syslog. Please see more details in Manually install the VMware Aria Operations for Logs agent on a VMware Aria Operations Cloud Proxy.