Telegraf Error Guide: '[inputs.redis] NOAUTH Authentication required' — Fix Redis Auth
Fix Telegraf's [inputs.redis] 'NOAUTH Authentication required': add the password to the servers URI, use Redis 6 ACL users, or rediss:// TLS so Redis metrics collect.
- #telegraf
- #metrics
- #troubleshooting
- #errors
Fixing errors like this? Get 500 free DevOps AI prompts
500 copy-paste AI prompts for the stack you actually run — one PDF, free.
Overview
The redis input runs INFO (and related commands) against each configured server. When the Redis server has a password set with requirepass but the connection URI carries no credentials, Redis rejects every command and the plugin logs:
2026-07-12T12:00:00Z E! [inputs.redis] Error in plugin: NOAUTH Authentication required.
On Redis 6+ with ACLs, supplying a password but no username (or the wrong username) produces a closely related error instead:
E! [inputs.redis] Error in plugin: WRONGPASS invalid username-password pair or user is disabled.
Either way, no redis metrics (memory, clients, keyspace, hit rate) are collected from the affected server.
Symptoms
- All
redismetrics are missing for one or more servers while other inputs report normally. journalctl -u telegrafrepeatsNOAUTH Authentication requiredon every collection interval.redis-cli -h 10.0.0.4 pingreturnsNOAUTH Authentication requiredbutredis-cli -h 10.0.0.4 -a "$PW" pingreturnsPONG.- The error appeared after
requirepasswas enabled on the server, or after a Redis 6 ACL migration. - Some servers in the
serverslist collect fine (no auth) while password-protected ones fail.
Common Root Causes
requirepassset but URI has no password — theserversentry istcp://10.0.0.4:6379with no credentials, soAUTHis never sent.- Password in the wrong URI position — credentials must sit before the host (
tcp://:pass@host:port), not as a query parameter. - Redis 6 ACL requires a username — with named ACL users, the URI needs
user:password@, not just:password@. - Special characters not URL-encoded — a password containing
@,:, or/breaks the URI unless percent-encoded. - Env var not expanded —
${REDIS_PASSWORD}is empty because the variable is not exported to the Telegraf process. - TLS-only server reached over plaintext — a server requiring TLS needs
rediss://; a plaintexttcp://connection can surface as an auth/handshake failure.
Diagnostic Workflow
First confirm the server actually requires auth and that your password works, using redis-cli from the Telegraf host:
redis-cli -h 10.0.0.4 -p 6379 ping # NOAUTH if password required
redis-cli -h 10.0.0.4 -p 6379 -a "$REDIS_PASSWORD" ping # expect PONG
Verify the environment variable is actually visible to the service, not just your shell:
sudo systemctl show telegraf -p Environment
grep -r REDIS_PASSWORD /etc/telegraf/ # e.g. in an EnvironmentFile
Run only the redis input under debug to confirm the fix:
telegraf --config /etc/telegraf/telegraf.conf --test --input-filter redis --debug
For a classic requirepass server, put the password before the host with a leading colon (empty username):
[[inputs.redis]]
servers = ["tcp://:${REDIS_PASSWORD}@10.0.0.4:6379"]
For a Redis 6 ACL user, include the username:
[[inputs.redis]]
servers = ["tcp://telegraf:${REDIS_PASSWORD}@10.0.0.4:6379"]
For a TLS-enabled server, use the rediss:// scheme:
[[inputs.redis]]
servers = ["rediss://:${REDIS_PASSWORD}@10.0.0.4:6379"]
# tls_ca = "/etc/telegraf/redis-ca.pem"
# insecure_skip_verify = false
Load the secret through a systemd EnvironmentFile so it is present for the service:
[Service]
EnvironmentFile=/etc/telegraf/redis.env
Example Root Cause Analysis
A platform team enabled requirepass on a shared Redis to satisfy an audit finding. Immediately, Telegraf logged NOAUTH Authentication required for that server while their app kept working — the app had been redeployed with the new password, but the Telegraf config still read servers = ["tcp://10.0.0.4:6379"].
They added the credential as tcp://:${REDIS_PASSWORD}@10.0.0.4:6379 and referenced ${REDIS_PASSWORD} from an EnvironmentFile. The first attempt still failed with NOAUTH because the variable was defined in the operator’s interactive shell but never exported to the systemd unit — systemctl show -p Environment telegraf came back empty. Pointing EnvironmentFile=/etc/telegraf/redis.env at a file holding the secret and restarting fixed it. The lesson: NOAUTH means the URI carried no usable password, and the most common reason is an environment variable that exists in your shell but not in the service’s environment.
Prevention Best Practices
- Store the Redis password in a systemd
EnvironmentFileand reference it as${REDIS_PASSWORD}; never inline secrets in version control. - URL-encode passwords with special characters (
@,:,/,#) before placing them in the URI. - On Redis 6+, create a dedicated least-privilege ACL user for Telegraf and use
user:password@in the URI. - Confirm the variable reaches the service with
systemctl show -p Environment telegraf, not just an interactiveecho. - Use
rediss://and a pinned CA for any server that requires TLS instead of disabling verification. - Roll credentials into monitoring config in the same change that enables
requirepassso metrics never go dark.
Quick Command Reference
# Confirm the server requires auth and the password works
redis-cli -h 10.0.0.4 -p 6379 ping
redis-cli -h 10.0.0.4 -p 6379 -a "$REDIS_PASSWORD" ping
# Verify the env var reaches the service (not just your shell)
sudo systemctl show telegraf -p Environment
# Run only the redis input with debug
telegraf --config /etc/telegraf/telegraf.conf --test --input-filter redis --debug
# Watch redis auth errors live
journalctl -u telegraf -f | grep -i redis
Related Guides
- Telegraf InfluxDB 401 unauthorized
- Telegraf HTTP connection refused
- Telegraf SQL Server login failed
More fixes in the Telegraf guides.
Conclusion
[inputs.redis] NOAUTH Authentication required means the connection URI reached a password-protected Redis without credentials. Add the password before the host as tcp://:${REDIS_PASSWORD}@host:port, or user:password@ for a Redis 6 ACL user, and use rediss:// for TLS. Verify with redis-cli -a from the Telegraf host and confirm the secret actually reaches the service environment — a variable set only in your shell is the classic reason the fix appears not to work.
Get 500 Battle-Tested DevOps AI Prompts — Free
500 battle-tested, copy-paste AI prompts engineered by a senior systems engineer — every one with fill-in placeholders and safety/back-out notes. Drop your email and it's yours.
- 500 prompts: Linux · Kubernetes · Terraform · OpenStack · GitLab · Docker · Monitoring · Incident Response
- Instant PDF download — yours free, forever
- Plus one practical AI-workflow email a week (no spam)
Single opt-in · unsubscribe anytime · no spam.