Telegraf Error Guide: '[inputs.mongodb] server selection timeout' — Fix MongoDB Connection
Fix Telegraf's [inputs.mongodb] 'server selection error: server selection timeout' by correcting the servers URI, authSource, replica set name, TLS, and network access.
- #telegraf
- #metrics
- #troubleshooting
- #errors
Fixing errors like this? Get 500 free DevOps AI prompts
500 copy-paste AI prompts for the stack you actually run — one PDF, free.
Overview
The mongodb input connects with the official Go driver and runs serverStatus/replSetGetStatus each interval. Before it can run anything, the driver must select a reachable server from the topology. When it cannot — wrong host, blocked port, failed auth, or TLS mismatch — the driver gives up after its selection timeout and Telegraf logs:
2026-07-12T12:00:00Z E! [inputs.mongodb] Error in plugin: server selection error: server selection timeout, current topology: { Type: Unknown, Servers: [{ Addr: 10.0.0.10:27017, Type: Unknown, Last error: connection() error occurred during connection handshake }] }
An authentication-specific variant surfaces once the socket connects but the handshake is rejected:
E! [inputs.mongodb] Error in plugin: server selection error: server selection timeout, current topology: { Type: ReplicaSetNoPrimary, Servers: [{ Addr: 10.0.0.10:27017, Type: RSGhost, Last error: (Unauthorized) command serverStatus requires authentication }] }
Type: Unknown means the driver never got a usable handshake; ReplicaSetNoPrimary means it reached the nodes but could not find a primary. Either way, no mongodb metrics collect.
Symptoms
- All
mongodbmeasurements are missing while other inputs report normally. journalctl -u telegrafrepeatsserver selection timeout, current topology: { Type: Unknown }each interval.- The
Last errorinside the topology names the real cause: connection handshake, auth, or TLS. mongoshfrom the Telegraf host with the same URI also fails (network/auth) or succeeds (config mismatch in Telegraf).- Only replica-set members are reachable but no primary is found (
ReplicaSetNoPrimary).
Common Root Causes
- Wrong host/port in the URI — a typo, wrong node, or a mongos/router address that is down.
- Missing or wrong
authSource— credentials live inadminbut the URI authenticates against the default database. - Bad credentials — wrong user/password, or a user without the
clusterMonitorrole forserverStatus. - Replica set name mismatch —
replicaSet=rs0in the URI does not match the deployment, so the driver rejects every node. - TLS required but not configured — the server enforces TLS and the plaintext driver handshake fails (or a CA/hostname mismatch).
- Firewall/security group blocking 27017 — the port is filtered between the Telegraf host and the database.
bindIprestriction — mongod only listens on localhost or a specific interface the Telegraf host cannot reach.
Diagnostic Workflow
Read the Last error field inside current topology first — it distinguishes a network failure from an auth or TLS failure. Then reproduce the exact URI outside Telegraf with mongosh:
# Same URI Telegraf uses; substitute the real value from the environment
mongosh "mongodb://telegraf:${MONGODB_PASS}@10.0.0.10:27017/?authSource=admin&replicaSet=rs0"
If mongosh cannot connect either, confirm the port is reachable and whether TLS is being enforced:
nc -z -v 10.0.0.10 27017
# Does the server speak TLS? A plaintext probe against a TLS-only port hangs/resets.
openssl s_client -connect 10.0.0.10:27017 -brief </dev/null 2>&1 | head
Once mongosh succeeds, match the Telegraf config’s servers URI to it exactly. Keep the connection string in the environment and reference it so credentials stay out of the config file:
[[inputs.mongodb]]
## Full connection string, supplied via the service environment
servers = ["${MONGODB_URI}"]
## MONGODB_URI = mongodb://telegraf:<pass>@10.0.0.10:27017,10.0.0.11:27017/?authSource=admin&replicaSet=rs0
gather_cluster_status = true
gather_perdb_stats = false
gather_col_stats = false
When the server enforces TLS, add the TLS options to the plugin (and/or tls=true in the URI) with the CA the server presents:
[[inputs.mongodb]]
servers = ["${MONGODB_URI}"]
tls_ca = "/etc/telegraf/mongo-ca.pem"
insecure_skip_verify = false
The monitoring user needs the right role. Create it once with clusterMonitor, which grants read access to serverStatus and replica-set status:
// in mongosh, against the admin database
db.getSiblingDB("admin").createUser({
user: "telegraf",
pwd: passwordPrompt(),
roles: [{ role: "clusterMonitor", db: "admin" }]
})
Finally, run only the mongodb input under Telegraf to confirm the fix:
telegraf --config /etc/telegraf/telegraf.conf --test --input-filter mongodb --debug
Example Root Cause Analysis
After migrating a replica set behind a new security group, mongodb metrics vanished with server selection timeout, current topology: { Type: Unknown ... Last error: ... during connection handshake }. ping to the nodes worked, so the team suspected credentials. But nc -z -v 10.0.0.10 27017 timed out from the Telegraf host, while it connected instantly from an app server — the port itself was blocked.
The new security group allowed 27017 only from the application tier, not the monitoring subnet, so the driver never completed a handshake and reported Type: Unknown. Adding the monitoring subnet to the security group made mongosh connect, and telegraf --test --input-filter mongodb immediately returned cluster metrics. A secondary fix followed: the URI had omitted authSource=admin, which would have produced an Unauthorized error next — caught early by reading the topology’s Last error. The lesson: a MongoDB “server selection timeout” is a symptom, not a cause; the Last error inside current topology tells you whether to fix the network, the auth, or the TLS.
Prevention Best Practices
- Store the full connection string in the service environment (
${MONGODB_URI}) so credentials never land in the config or version control. - Always set
authSourceexplicitly (usuallyadmin) to match where the monitoring user was created. - Grant the monitoring user exactly
clusterMonitor— enough forserverStatus, nothing more. - List all replica-set members in the URI with the correct
replicaSet=name so the driver can find the primary. - Open 27017 from the monitoring subnet to every node as part of database onboarding, and verify with
nc -z. - When TLS is enforced, configure
tls_caand leaveinsecure_skip_verify = false; read the topologyLast errorto catch cert/hostname mismatches.
Quick Command Reference
# Reproduce the exact URI outside Telegraf
mongosh "mongodb://telegraf:${MONGODB_PASS}@10.0.0.10:27017/?authSource=admin&replicaSet=rs0"
# Check port reachability and whether TLS is enforced
nc -z -v 10.0.0.10 27017
openssl s_client -connect 10.0.0.10:27017 -brief </dev/null 2>&1 | head
# Run only the mongodb input with debug
telegraf --config /etc/telegraf/telegraf.conf --test --input-filter mongodb --debug
# Watch server selection errors live
journalctl -u telegraf -f | grep -i 'server selection'
Related Guides
- Telegraf Error: [inputs.sqlserver] login failed
- Telegraf Error: InfluxDB x509 certificate signed by unknown authority
- Telegraf Error: [inputs.http] connection refused
More fixes in the Telegraf guides.
Conclusion
[inputs.mongodb] server selection error: server selection timeout, current topology: { Type: Unknown } means the Go driver never selected a usable server — the Last error inside the topology tells you whether the cause is a blocked port, wrong authSource/credentials, a replica-set name mismatch, or a TLS handshake failure. Reproduce the exact URI with mongosh, confirm 27017 is reachable, and match the Telegraf servers string precisely, keeping it in ${MONGODB_URI}. Grant the monitoring user clusterMonitor, configure TLS when enforced, and MongoDB metrics will collect reliably.
Get 500 Battle-Tested DevOps AI Prompts — Free
500 battle-tested, copy-paste AI prompts engineered by a senior systems engineer — every one with fill-in placeholders and safety/back-out notes. Drop your email and it's yours.
- 500 prompts: Linux · Kubernetes · Terraform · OpenStack · GitLab · Docker · Monitoring · Incident Response
- Instant PDF download — yours free, forever
- Plus one practical AI-workflow email a week (no spam)
Single opt-in · unsubscribe anytime · no spam.