Technical Note: ZoneFox 3 - Linux and Mac agents send all events as 'user' data
Description
Scope
Solution
Linux and Mac agents send all events as 'user' data
Scope
FAQ
Solution
Current implementations of ZoneFox (up to and including v3.3) do not differentiate between user and system events for Linux and Mac agents. This means all events are treated as being a user event and are stored in a user index (events.usr.xxxx.xx), rather than being filtered to a system index (events.sys.xxxx.xx.xx). Due to this, unusually large indices could be created, which could result in the hard-limit of the number of documents in a shard being reached.
Note that Windows agents do differentiate between user and system events.