Device Vendor = IBM / Device Product AIX Audit

Hello guys,

I would need your help for a situation we recently observed.
For a same device, we observe two different Device Vendor. But the format of the logs is quite the same.
Here are the raw logs:

<86>May 13 10:20:00 BFBFEIGAAPZP01 sshd[2219]: Invalid user PayX from 172.20.77.54                                                                                   //Device Vendor = Unix / Device Product Unix
<86>May 13 10:20:02 BFBFEIGAAPZP01 sshd[2221]: Failed password for invalid user PayX from 172.21.77.54 port 39862 ssh2                 //Device Vendor = IBM / Device Product AIX Audit
<86>May 13 10:08:39 BFBFEIGAAPZP01 sshd[2063]: Accepted password for maah from 172.25.1.16 port 41610 ssh2                                 //Device Vendor = Unix / Device Product Unix
<86>May 13 10:00:11 ousdp08b sshd[10589]: Accepted publickey for npiuser from 172.25.28.245 port 53562 ssh2: RSA SHA256:JCaBff2+9hetWjmnpXfrz4pJSP6D9YwSP85fC9yW2BA // Device Vendor = IBM / Device Product AIX Audit


Do you know why we're having these different Device Product for a same type of log ? I mean for the Unix format ?
I noticed it over different connectors on each of the affiliates.
Can you help ? Grin

All of our correlation rules are based on the Device Vendor Unix. That's why I need to know if it's a new Device Vendor we need to consider from now on.

Cdt,

Marty

  • 0  

    Hi Marty, I just took a look at the AIX Audit parser and I don't see that those logs you have would match that parser.  So I'm not exactly sure why it would come up with that Device Vendor and Product.  Something you might be able to try to do is set a customsubagent list in the agent.properties to remove the AIX subagent if you're not using it otherwise and set the connector to use the customsubagentlist.  Also might check if you have any parser overrides setup on these connectors.  Otherwise you might want to open up a support case to have them help investigate why it seems to be coming up as AIX Audit instead of Unix.  

  • 0

    AIX and Unix have the most "wide" regex, so somtimes logs match the AIX parser, when they should not.

    KR

    A