Telegraf on PFsense Error

gm2005fl

I am trying to set up Telegraf on my PFsense to export metrics to my influxDB, but I am having issues. In the Log, I get an error and when I run the test, it tells me another error. Can someone assist me with this, I am new to the whole process. Below is what I get. Also for the line 35 error, when I look at the file, it does show a line 35 but it's blank.

InfluxDB v2.7.12
Server: ec9dcde
Frontend: 5c07739

2.8.0-RELEASE (amd64)
built on Wed May 21 19:12:00 EDT 2025
FreeBSD 15.0-CURRENT
When I run /usr/local/bin/telegraf -config=/usr/local/etc/telegraf.conf --test
I get 2025-06-18T15:37:24Z W! [inputs.kernel] Current platform is not supported

The log just repeats this over and over
2025-06-15T00:08:17Z E! loading config file /usr/local/etc/telegraf.conf failed: error parsing data: line 35: invalid TOML syntax
2025-06-15T00:08:18Z E! loading config file /usr/local/etc/telegraf.conf failed: error parsing data: line 35: invalid TOML syntax
2025-06-15T00:08:19Z E! loading config file /usr/local/etc/telegraf.conf failed: error parsing data: line 35: invalid TOML syntax
2025-06-15T00:08:20Z E! loading config file /usr/local/etc/telegraf.conf failed: error parsing data: line 35: invalid TOML syntax
2025-06-15T00:08:21Z E! loading config file /usr/local/etc/telegraf.conf failed: error parsing data: line 35: invalid TOML syntax

This is the current conf. Which I have run through a TOML verification tool and it says the TOML is valid.

This file is automatically generated by pfSense

[agent]
interval = "15s"
round_interval = true

[[inputs.cpu]]
percpu = true
totalcpu = true
fielddrop = ["time_*"]

[[inputs.disk]]
ignore_fs = ["tmpfs", "devtmpfs", "devfs"]

[[inputs.diskio]]

[[inputs.kernel]]

[[inputs.mem]]

[[inputs.net]]

[[inputs.processes]]

[[inputs.swap]]

[[inputs.system]]

[[inputs.pf]]
[[outputs.influxdb]]
urls = ["http://192.168.1.100:8086"]
database = "Influxdb-1"
username = ""
password = "***************"

pst

@gm2005fl I recently installed Telegram with the same purpose, and have it working.

is that the complete telegraf.conf? if you run the following command, is line 35 still empty, or does it contain something invisible/control characters?

cat -nvt /usr/local/etc/telegraf.conf

If it is empty, then something is missing.

If I compare with my telegraf.conf, I have an additional line after the password:

password = "xyz"
ssl_ca = "/usr/local/etc/telegraf.ca"

I wonder if ssl_ca is a mandatory parameter.

As this config is generated, it looks like something is missing from pfSense. Does the file /usr/local/etc/telegraf.ca exist on your system?

If it does, you could try and add that line manually to the config file and see if that fixes the error.

It is not a permanent solution though, as every time you save the Telegraf config you'll have to manually add that line.

Looking at the code in /usr/local/pkg/telegraf.inc, it looks like the ssl_ca is only added to the config file if you have configured a default Certificate Authority in pfSense System / Certificates / Authorities

Do you have pfSense-Root-CA and pfSense-Sub-CA configured? If not, then configuring those is probably the correct solution. It is normally done in conjunction with enabling https-access to pfSense. See https://docs.netgate.com/pfsense/en/latest/config/advanced-admin.html#ssl-tls-certificate

The pfSense documentation about certificates can be found here: https://docs.netgate.com/pfsense/en/latest/certificates/index.html

When I first set my pfSense up I think I followed the more detailed step-by-step description here https://www.ceos3c.com/pfsense/pfsense-generate-ssl-certificate-https-pfsense/

pst

@gm2005fl there is also this option, which might bypass the need to configure a CA altogether

Try enabling that and see if that helps.

gm2005fl

@pst I did the skip and it did not help.

gm2005fl

@pst I don't not have the Root-Ca configured, I can do that. I also don't have the Telegraf.ca file. When I ran the cat on it, it didn't show me the line 35. But when I did the skip SSL, it added that as line 35, but I am still getting error. BTW thank you for the help

pst

@gm2005fl said in Telegraf on PFsense Error:

I also don't have the Telegraf.ca file.

I checked the code again, and that file is only created if you have the CA configured, as it takes info from that CA config.

Once you have created the CA it should all work (as it did for me).

Note, there is currently a bug in Telegraf which prevents automatic restart of the Telegraf service after changing the configuration. A small fix can be found here: https://redmine.pfsense.org/issues/16225. If you don't apply the fix you will have to manually restart Telegraf (from Status / Services) every time you update the Telegraf configuration.

gm2005fl

@pst Cool thank you I will get it updated and see how I do. Fingers crossed.

gm2005fl

@gm2005fl Well it looks like the data is now transferring...THANK for the help on it. I got the CA done. Now I have to figure out the issue with the 401 unauthorized between the PFsense and Influxdb.

pst

@gm2005fl Great! Just double check your IP/port, database name, the username has to be the one with "write" authority (I think there was a "read" user also, that Grafana uses (if you use Grafana that is)), and obv the password :)

gm2005fl

@pst Yeah I have double checked all of that, the IP/port, user, dbname etc. They all are correct. Copilot is telling me it has something to do with the API key, but not sure about that.

pst

@gm2005fl I can't recall using an API key, but your end system might be completely different for all I know :)

My browsing history suggests I used this as base for my installation: https://homelabing.fr/pfblockerng-and-monitoring-pfsense-with-telegraf-influxdb-and-grafana/

It's not the easiest of reads but might give you a clue to what could be wrong, hopefully.

gm2005fl

@pst Finally.... Got it. I used copilot to walk me through all of my errors. The end result,

Boom—there’s the final piece of the puzzle. Telegraf is trying to write to the InfluxDB 2.x instance using the InfluxDB 1.x-style output plugin ([[outputs.influxdb]]), which expects a database name like "pfsense". But InfluxDB 2.x doesn’t use databases—it uses buckets, orgs, and tokens. That’s why you’re getting:

401 Unauthorized and database creation failed

So long story sort, the package from Pfsense still shows the database info, I pasted the following in the "Additional Config" section and removed the database info and boom...got data

[[outputs.influxdb_v2]]
urls = ["http://192.168.1.100:8086"]
token = "your-super-secret-token"
organization = "name"
bucket = "pfsense"

Holy Heck that was a lot. :) but thanks for stick with me I appreciate the support :)

pst

@gm2005fl that's great news, and very useful information for those of us (i.e me!) not realising there are different versions InfluxDB :)