Skip to content
DevOps AI ToolKit
Newsletter
All guides
AI for Telegraf By James Joyner IV · · 8 min read

Telegraf Error Guide: '[inputs.redis] NOAUTH Authentication required' — Fix Redis Auth

Quick answer

Fix Telegraf's [inputs.redis] 'NOAUTH Authentication required': add the password to the servers URI, use Redis 6 ACL users, or rediss:// TLS so Redis metrics collect.

  • #telegraf
  • #metrics
  • #troubleshooting
  • #errors
Free toolkit

Fixing errors like this? Get 500 free DevOps AI prompts

500 copy-paste AI prompts for the stack you actually run — one PDF, free.

Overview

The redis input runs INFO (and related commands) against each configured server. When the Redis server has a password set with requirepass but the connection URI carries no credentials, Redis rejects every command and the plugin logs:

2026-07-12T12:00:00Z E! [inputs.redis] Error in plugin: NOAUTH Authentication required.

On Redis 6+ with ACLs, supplying a password but no username (or the wrong username) produces a closely related error instead:

E! [inputs.redis] Error in plugin: WRONGPASS invalid username-password pair or user is disabled.

Either way, no redis metrics (memory, clients, keyspace, hit rate) are collected from the affected server.

Symptoms

  • All redis metrics are missing for one or more servers while other inputs report normally.
  • journalctl -u telegraf repeats NOAUTH Authentication required on every collection interval.
  • redis-cli -h 10.0.0.4 ping returns NOAUTH Authentication required but redis-cli -h 10.0.0.4 -a "$PW" ping returns PONG.
  • The error appeared after requirepass was enabled on the server, or after a Redis 6 ACL migration.
  • Some servers in the servers list collect fine (no auth) while password-protected ones fail.

Common Root Causes

  • requirepass set but URI has no password — the servers entry is tcp://10.0.0.4:6379 with no credentials, so AUTH is never sent.
  • Password in the wrong URI position — credentials must sit before the host (tcp://:pass@host:port), not as a query parameter.
  • Redis 6 ACL requires a username — with named ACL users, the URI needs user:password@, not just :password@.
  • Special characters not URL-encoded — a password containing @, :, or / breaks the URI unless percent-encoded.
  • Env var not expanded${REDIS_PASSWORD} is empty because the variable is not exported to the Telegraf process.
  • TLS-only server reached over plaintext — a server requiring TLS needs rediss://; a plaintext tcp:// connection can surface as an auth/handshake failure.

Diagnostic Workflow

First confirm the server actually requires auth and that your password works, using redis-cli from the Telegraf host:

redis-cli -h 10.0.0.4 -p 6379 ping                 # NOAUTH if password required
redis-cli -h 10.0.0.4 -p 6379 -a "$REDIS_PASSWORD" ping   # expect PONG

Verify the environment variable is actually visible to the service, not just your shell:

sudo systemctl show telegraf -p Environment
grep -r REDIS_PASSWORD /etc/telegraf/   # e.g. in an EnvironmentFile

Run only the redis input under debug to confirm the fix:

telegraf --config /etc/telegraf/telegraf.conf --test --input-filter redis --debug

For a classic requirepass server, put the password before the host with a leading colon (empty username):

[[inputs.redis]]
  servers = ["tcp://:${REDIS_PASSWORD}@10.0.0.4:6379"]

For a Redis 6 ACL user, include the username:

[[inputs.redis]]
  servers = ["tcp://telegraf:${REDIS_PASSWORD}@10.0.0.4:6379"]

For a TLS-enabled server, use the rediss:// scheme:

[[inputs.redis]]
  servers = ["rediss://:${REDIS_PASSWORD}@10.0.0.4:6379"]
  # tls_ca = "/etc/telegraf/redis-ca.pem"
  # insecure_skip_verify = false

Load the secret through a systemd EnvironmentFile so it is present for the service:

[Service]
EnvironmentFile=/etc/telegraf/redis.env

Example Root Cause Analysis

A platform team enabled requirepass on a shared Redis to satisfy an audit finding. Immediately, Telegraf logged NOAUTH Authentication required for that server while their app kept working — the app had been redeployed with the new password, but the Telegraf config still read servers = ["tcp://10.0.0.4:6379"].

They added the credential as tcp://:${REDIS_PASSWORD}@10.0.0.4:6379 and referenced ${REDIS_PASSWORD} from an EnvironmentFile. The first attempt still failed with NOAUTH because the variable was defined in the operator’s interactive shell but never exported to the systemd unit — systemctl show -p Environment telegraf came back empty. Pointing EnvironmentFile=/etc/telegraf/redis.env at a file holding the secret and restarting fixed it. The lesson: NOAUTH means the URI carried no usable password, and the most common reason is an environment variable that exists in your shell but not in the service’s environment.

Prevention Best Practices

  • Store the Redis password in a systemd EnvironmentFile and reference it as ${REDIS_PASSWORD}; never inline secrets in version control.
  • URL-encode passwords with special characters (@, :, /, #) before placing them in the URI.
  • On Redis 6+, create a dedicated least-privilege ACL user for Telegraf and use user:password@ in the URI.
  • Confirm the variable reaches the service with systemctl show -p Environment telegraf, not just an interactive echo.
  • Use rediss:// and a pinned CA for any server that requires TLS instead of disabling verification.
  • Roll credentials into monitoring config in the same change that enables requirepass so metrics never go dark.

Quick Command Reference

# Confirm the server requires auth and the password works
redis-cli -h 10.0.0.4 -p 6379 ping
redis-cli -h 10.0.0.4 -p 6379 -a "$REDIS_PASSWORD" ping

# Verify the env var reaches the service (not just your shell)
sudo systemctl show telegraf -p Environment

# Run only the redis input with debug
telegraf --config /etc/telegraf/telegraf.conf --test --input-filter redis --debug

# Watch redis auth errors live
journalctl -u telegraf -f | grep -i redis

More fixes in the Telegraf guides.

Conclusion

[inputs.redis] NOAUTH Authentication required means the connection URI reached a password-protected Redis without credentials. Add the password before the host as tcp://:${REDIS_PASSWORD}@host:port, or user:password@ for a Redis 6 ACL user, and use rediss:// for TLS. Verify with redis-cli -a from the Telegraf host and confirm the secret actually reaches the service environment — a variable set only in your shell is the classic reason the fix appears not to work.

Free download · 368-page PDF

Get 500 Battle-Tested DevOps AI Prompts — Free

500 battle-tested, copy-paste AI prompts engineered by a senior systems engineer — every one with fill-in placeholders and safety/back-out notes. Drop your email and it's yours.

  • 500 prompts: Linux · Kubernetes · Terraform · OpenStack · GitLab · Docker · Monitoring · Incident Response
  • Instant PDF download — yours free, forever
  • Plus one practical AI-workflow email a week (no spam)

Single opt-in · unsubscribe anytime · no spam.