Linux and Mac agents send all events as 'user' data
FAQ
Current implementations of ZoneFox (up to and including v3.3) do not differentiate between user and system events for Linux and Mac agents. This means all events are treated as being a user event and are stored in a user index (events.usr.xxxx.xx), rather than being filtered to a system index (events.sys.xxxx.xx.xx). Due to this, unusually large indices could be created, which could result in the hard-limit of the number of documents in a shard being reached.
Note that Windows agents do differentiate between user and system events.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.