Telegraf Windows Service Permissions


I’m collecting SQL Stats by using using telegraf sqlserver plugin. Telegraf agent installed on the sql server. Also, same agent should be collecting the server metrics (perfmon).

Here is the problem. I don’t want to display sql user-password as clear text in the config file. So, I’ve created a service account in the active directory then run telegraf windows service with the service account.

Now, telegraf is not able to collect server metrics. What permisisons should I provide to the service account. I don’t want to make it admin if possible.


The AD user should have the Log on as a service permission on the machine on which Telegraf runs as a service.
You can set it from:
Local Security Policy > Local Policy > User Rights Assignment > Log on as a service

Other errors may be caused by:

  • Not using the full path in the command, always use the absolute path ( Fullpath\telegraf.exe --config Fullpath\ConfFile.conf ) otherwise you will get error 1067 when starting the service
  • The user does not have the required permission on SQL Server, the sqlserver plugin requires the following permissions

What happens (now) when you run the Telegraf Service? do you get an error? have you checked Event Viewer or the Telegraf log file (if configured) for errors ?

1 Like

I don’t get any error on sql metrics. Thanks for the detailed answer. I haven’t find an opportunity to try it yet but I’ll definitely write back after I try “log on as a service” option.

Can you tell me how to configure telegraf log file on Windows? I didn’t configure it but it’s very important when diagnosing errors.

@Giovanni_Luisotto I set log on as a service setting yet it didn’t work. Is there something else I should do?

Do you get any error?
To see errors test the current configuration, start powershell as the dedicated AD user and test the configuration.

Path\telegraf.exe --config path\file.conf --test

This should delicate the exact same thing that the service does. Any error by default is sento to stderr so you should see it in the console.

About the log configuration, there are a bunch of options in the agent section of the conf file, if you write to a file ensure that the user has the permission to read/write it.

1 Like

I tried the test option. There is no error and I saw that it collects some metrics. I checked the user permission “Log on as a service”. :confused:

It works as when the AD user is local admin and when I don’t use AD user at all. May be AD user requires more permission than “log on as a service” ?

If running Telegraf manually (with its the dedicated AD user) works then I don’t really know what’s wrong.
How did you configure the service on windows?
are you using the built-in command or nssm?

# The built-in command will require you to change the user after registering the service
.\telegraf.exe --service install --config "_Fullpath_\ _MyConf_.conf"

if you use nssm, it will allow you to set the service user and will assign it the needed permissions automatically, it also will allow you to redirect stderr to a log file, so you should be able to see errors)

Remember that any service related error will be logged to the Windows Event Viewer

I wrote a bunch of blog posts about how to set up the TICK stack on Windows, I don’t know if that will help you but maybe give them a brief look.(in the post about InfluxDb you will also find a nssm example)

I will try to delete the existing service and re-create it, maybe using nssm.
Let me know if you discover something new.

1 Like

@Giovanni_Luisotto I don’t use nssm, I configured the service as it says in the github page.

I think when I add a windows service with an AD user, windows automatically gives the permission “Log on as a service”. Because I tried again on a new server and didn’t give the permission then checked it and it was already given.

I am now able get data by the way. I added the user into the Performance Monitor Users group.

PS. Cool blog posts by the way and thanks for your help.

Glad to hear that you solved the problem.
I will have a look at my setup to check if that group is configurd, anyway I expected SQL Server to give me an error equivalent to “Access Denied” if that’s the case.

1 Like

Weird, I think, I have discovered something else.


I’ve commented out servers line and the agent is able collect related counters. Telegraf service is running as “Local System” on the SQL Server. Is this normal? Then, I can say that “I need no sql user if the agent is on the sql server directly.”

      # servers = [ "Server=;Port=1433;User Id=<user>;Password=<pw>;app name=telegraf;log=1;" ]
      query_version = 2

By default, if nothing is specified the GO library used by Telegraf will connect to localhost on port 1433, using SSO authentication.
If Telegraf runs with Local System (NT AUTHORITY\SYSTEM) and is able to read data that means that the user has access to SQL Server.

have a look at the SQL Server logins of the instance and check if the user exists and with what permissions

1 Like

Yeap, “NT AUTHORITY\SYSTEM” has the permission to access SQL Server. DB Admin said that the user comes with default settings. I don’t know what permiss it has but it’s able to collect all the data that telegraf sqlserver plugin collects.

“NT AUTHORITY\SYSTEM” is in the “sysadmin” role, so it can literally do whatever he wants in the database. Which may not be a problem as long as you run the default telegraf queries, but in general, it’s not so nice, you should use the “least privilege” logic, which means having a read-only user with the minimum permissions.

That said if using “NT AUTHORITY\SYSTEM” causes no problem and it’s ok for everyone then go for it.

1 Like