We are using Telegraf in our production servers (Linux & Windows OS) to collect metrics and send them to InfluxDB.
We are also monitoring our production servers for security breaches or any other suspicious activity.
We encountered a security issue in which the Telegraf user opened & closed an “su” session in a production server.
Is this behavior normal ? Why would the Telegraf user open & close these kind of sessions ?
More information would be grateful & helpful.