Our logstash
user is a system-level account with nologin
[root@cav01 ~]# id logstash
uid=296(logstash) gid=985(logstash) groups=985(logstash),0(root)
[root@cav01 ~]# grep logstash /etc/passwd
logstash:x:296:985:logstash:/usr/share/logstash:/sbin/nologin
And:
[root@cav01 ~]# ps -p 69796 -o pid,euid,egid,fuid
PID EUID EGID FUID
69796 296 985 296
And you're correct, this is NOT a remote mount of any sort.
Thanks for trudging through this with me! I've been staring at it for days trying various combinations of things to no avail.