tcollector runs many collector scripts; trust boundaries and script permissions are critical.
- Audit collector scripts before enabling.
- Restrict script directories to root/service-admin ownership.
- Remove unused or untrusted collectors.
¶ Transport and Backend Controls
- Secure transport to OpenTSDB/TSDB backend.
- Restrict egress from collector hosts to required endpoints.
- Monitor for malformed or excessive metric submissions.