First off, the numbers look like Unix Epoch Seconds.
Epoch Converter - Unix Timestamp Converter
1491920600000 = Tuesday, April 11, 2017 2:23:20 PM GMT
First problem: it looks like something in the network (assuming this is a recent problem) thinks it's April.
Second problem: somehow, the "Detection Time" field is getting normalized as a "Detection IP." LEM is seeing these new "IPs" and adding nodes for them
I'm gonna guess there's one of two things happening:
- You have a syslog device sending data to LEM and that data is getting parsed with the wrong connectors, so LEM thinks an IP is supposed to be where the TIME is showing up. Updating the connectors and reviewing the connectors you have configured on the LEM appliance would be a good plan of action. You probably have connectors you don't need running, so that could be part of the issue.
- You have a rule configured somewhere that has "DetectionTime" in a "DetectionIP" field. If you go to your Monitor tab and look at the "Rule Activity" filter, what's going on there? Maybe check recently fired rules and make sure that all the fields match up correctly.