Telegraf has many plugins and output integrations, so plugin minimization and secret handling are essential.
¶ Plugin and Agent Hardening
- Enable only required input/output plugins.
- Run Telegraf as dedicated non-root user where possible.
- Restrict plugin access to system resources as needed.
¶ Secret and Output Security
- Store output tokens/passwords using secret-store patterns.
- Enforce TLS for remote output endpoints.
- Restrict outbound connectivity to approved observability systems.