Skip to content
DevOps AI ToolKit
Newsletter
All guides
AI for Telegraf By James Joyner IV · · 8 min read

Telegraf Error Guide: '[inputs.ping] socket: operation not permitted' — Fix Native ICMP Capability

Quick answer

Fix Telegraf's [inputs.ping] 'socket: operation not permitted': grant CAP_NET_RAW for native ICMP, or switch to method=exec using the system ping so host checks succeed.

  • #telegraf
  • #metrics
  • #troubleshooting
  • #errors
Free toolkit

Fixing errors like this? Get 500 free DevOps AI prompts

500 copy-paste AI prompts for the stack you actually run — one PDF, free.

Overview

The ping input can send ICMP echo requests directly using a raw socket (method = "native"). Opening a raw socket requires the CAP_NET_RAW capability; when the telegraf process lacks it, the plugin fails to create the socket and logs:

2026-07-12T12:00:00Z E! [inputs.ping] Error in plugin: host www.example.com: socket: operation not permitted

A related form appears when the native method cannot bind an unprivileged ICMP datagram socket because the kernel ping_group_range does not include the service group:

E! [inputs.ping] Error in plugin: host 10.0.0.20: listen ip4:icmp 0.0.0.0: socket: operation not permitted

No ping metrics (packet loss, RTT) are produced for the affected hosts until the capability or method is corrected.

Symptoms

  • All ping metrics are missing while other inputs collect normally.
  • journalctl -u telegraf repeats socket: operation not permitted for each configured host every interval.
  • Running telegraf --test as root succeeds, but the systemd service (running as telegraf) fails.
  • The error started after switching method from exec to native, or after a Telegraf package upgrade changed the default.
  • getcap $(command -v telegraf) shows no cap_net_raw on the binary.

Common Root Causes

  • Native method without CAP_NET_RAW — the raw ICMP socket cannot be opened by an unprivileged user, so the socket call is denied.
  • systemd unit drops capabilities — a hardened unit with CapabilityBoundingSet= or NoNewPrivileges=yes prevents Telegraf from ever holding CAP_NET_RAW.
  • setcap lost on upgrade — a file capability set on the binary is wiped when the package is reinstalled or upgraded.
  • Kernel ping_group_range excludes the group — unprivileged ICMP datagram sockets are gated by net.ipv4.ping_group_range, which does not include the telegraf GID.
  • method = "exec" but system ping is missing or unprivileged — the fallback shells out to ping, which itself may lack its setuid/cap_net_raw bit.
  • Container without net-raw — a container dropped NET_RAW in its security context, so no process inside can open raw sockets.

Common Fix Paths

There are two supported approaches: grant the capability and keep method = "native", or switch to method = "exec" and let the system ping binary handle privileges.

Diagnostic Workflow

First confirm which method is configured and whether the binary or process holds the capability:

grep -A5 'inputs.ping' /etc/telegraf/telegraf.conf
getcap "$(command -v telegraf)"
systemctl show telegraf -p CapabilityBoundingSet -p AmbientCapabilities -p NoNewPrivileges

Run only the ping input under debug to see the exact host and socket error:

telegraf --config /etc/telegraf/telegraf.conf --test --input-filter ping --debug

Option A — grant CAP_NET_RAW via systemd (preferred). Add a drop-in so the service starts with the ambient capability:

sudo systemctl edit telegraf
[Service]
AmbientCapabilities=CAP_NET_RAW
CapabilityBoundingSet=CAP_NET_RAW
sudo systemctl daemon-reload && sudo systemctl restart telegraf

The native config stays simple:

[[inputs.ping]]
  urls = ["www.example.com", "10.0.0.20"]
  method = "native"
  count = 3
  ping_interval = 1.0
  timeout = 2.0

Option B — use the system ping binary. Switch the method and let the setuid ping do the privileged work:

[[inputs.ping]]
  urls = ["www.example.com", "10.0.0.20"]
  method = "exec"
  binary = "ping"
  count = 3
  timeout = 2.0

Option C — setcap on the binary (useful when systemd hardening is out of your control), noting it must be re-applied after upgrades:

sudo setcap cap_net_raw+ep "$(command -v telegraf)"

Example Root Cause Analysis

After a Telegraf upgrade, a synthetic-availability check that pinged public endpoints went dark, logging host www.example.com: socket: operation not permitted. The config used method = "native", which had worked for months. getcap on the old binary path had shown cap_net_raw+ep, but the upgraded package replaced the binary and the file capability was gone — package upgrades do not preserve setcap.

Rather than re-run setcap after every upgrade, the team moved the grant into a systemd drop-in with AmbientCapabilities=CAP_NET_RAW, which survives package upgrades because it lives in the unit, not on the inode. After daemon-reload and a restart, telegraf --test --input-filter ping reported RTT and packet loss again. The lesson: file capabilities are fragile across upgrades — grant CAP_NET_RAW through the service manager, or use method = "exec" so the OS ping owns the privilege.

Prevention Best Practices

  • Prefer a systemd AmbientCapabilities=CAP_NET_RAW drop-in over setcap, since it survives package upgrades.
  • If you must use setcap, add a post-upgrade hook to re-apply it, because reinstalls wipe file capabilities.
  • Choose method = "exec" when you want the system ping binary to own ICMP privileges and keep Telegraf unprivileged.
  • Keep CapabilityBoundingSet scoped to exactly CAP_NET_RAW rather than loosening the whole unit.
  • In containers, add NET_RAW to the security context explicitly if you rely on native ICMP.
  • Validate with telegraf --test --input-filter ping in post-deploy checks so a lost capability is caught before availability data goes missing.

Quick Command Reference

# Check configured method and current capabilities
getcap "$(command -v telegraf)"
systemctl show telegraf -p AmbientCapabilities -p NoNewPrivileges

# Grant CAP_NET_RAW via systemd drop-in (preferred)
sudo systemctl edit telegraf   # add AmbientCapabilities=CAP_NET_RAW
sudo systemctl daemon-reload && sudo systemctl restart telegraf

# Alternative: file capability on the binary (re-apply after upgrades)
sudo setcap cap_net_raw+ep "$(command -v telegraf)"

# Run only the ping input with debug
telegraf --config /etc/telegraf/telegraf.conf --test --input-filter ping --debug

More fixes in the Telegraf guides.

Conclusion

[inputs.ping] socket: operation not permitted means Telegraf’s native ICMP method cannot open a raw socket because the process lacks CAP_NET_RAW. Grant the capability through a systemd AmbientCapabilities drop-in (which survives upgrades), or switch to method = "exec" and let the system ping binary handle privileges. Confirm the fix with telegraf --test --input-filter ping, and avoid setcap unless you re-apply it after every package upgrade.

Free download · 368-page PDF

Get 500 Battle-Tested DevOps AI Prompts — Free

500 battle-tested, copy-paste AI prompts engineered by a senior systems engineer — every one with fill-in placeholders and safety/back-out notes. Drop your email and it's yours.

  • 500 prompts: Linux · Kubernetes · Terraform · OpenStack · GitLab · Docker · Monitoring · Incident Response
  • Instant PDF download — yours free, forever
  • Plus one practical AI-workflow email a week (no spam)

Single opt-in · unsubscribe anytime · no spam.