Hello guys,
I would need your help for a situation we recently observed.
For a same device, we observe two different Device Vendor. But the format of the logs is quite the same.
Here are the raw logs:
<86>May 13 10:20:00 BFBFEIGAAPZP01 sshd[2219]: Invalid user PayX from 172.20.77.54 //Device Vendor = Unix / Device Product Unix
<86>May 13 10:20:02 BFBFEIGAAPZP01 sshd[2221]: Failed password for invalid user PayX from 172.21.77.54 port 39862 ssh2 //Device Vendor = IBM / Device Product AIX Audit
<86>May 13 10:08:39 BFBFEIGAAPZP01 sshd[2063]: Accepted password for maah from 172.25.1.16 port 41610 ssh2 //Device Vendor = Unix / Device Product Unix
<86>May 13 10:00:11 ousdp08b sshd[10589]: Accepted publickey for npiuser from 172.25.28.245 port 53562 ssh2: RSA SHA256:JCaBff2+9hetWjmnpXfrz4pJSP6D9YwSP85fC9yW2BA // Device Vendor = IBM / Device Product AIX Audit
Do you know why we're having these different Device Product for a same type of log ? I mean for the Unix format ?
I noticed it over different connectors on each of the affiliates.
Can you help ?
All of our correlation rules are based on the Device Vendor Unix. That's why I need to know if it's a new Device Vendor we need to consider from now on.
Cdt,
Marty