Telegraf agent opening & closing "su" sessions in Linux machines

Dudu · June 3, 2017, 4:21am

We are using Telegraf in our production servers (Linux & Windows OS) to collect metrics and send them to InfluxDB.
We are also monitoring our production servers for security breaches or any other suspicious activity.

We encountered a security issue in which the Telegraf user opened & closed an “su” session in a production server.
Is this behavior normal ? Why would the Telegraf user open & close these kind of sessions ?

More information would be grateful & helpful.

daniel · June 5, 2017, 5:47pm

There are some input plugins that use sudo, dmcache and iptables come to mind but there might be others.

Topic		Replies	Views
Telegraf broken after update? Telegraf telegraf	5	525	February 11, 2022
Issue monitoring host procstat from a docker instance Telegraf influxdb , telegraf , docker	6	1649	July 12, 2023
Telegraf goes down	20	1046	May 14, 2020
Telegraf is not collecting the nginx access.logs Telegraf telegraf	1	706	November 30, 2018
Telegraf failed to start? Telegraf	3	10770	August 23, 2021

Telegraf agent opening & closing "su" sessions in Linux machines

Related Topics