When forwarding logs from a vCenter Server Appliance (VCSA) to a Security Information and Event Management in Common Event Format (CEF), users observe inconsistent Header information:

1. vCenter Login Events: Display full Vendor and Product information (e.g., CEF:0|VMware|ESX|...|vpxd).

2. SSH/System Events: Display empty Header fields (e.g., CEF:0|||||).

VMware vCenter Server Appliance (VCSA)

The discrepancy is caused by the multi-layered architecture of the VCSA and how different services generate logs:

• vpxd Service (Application Layer): The vpxd (VirtualCenter Server) service is a native VMware application. It is programmed to generate CEF-compliant logs that explicitly include the "VMware" vendor and "vCenter/ESX" product tags in the header.

• sshd Service (Operating System Layer): The sshd (OpenSSH) service is a standard system daemon running directly on the underlying Photon OS. These system services generate standard Linux audit/message logs. When the vCenter syslog forwarder encapsulates these OS-level events into a CEF wrapper, it does not have the application-specific metadata (Vendor/Product) to populate the header fields.

This behavior is by design and reflects the native log-handling mechanism of the vCenter appliance. It is not a configuration error.