telegraf/plugins/inputs/ipset/README.md

# Ipset Input Plugin

This plugin gathers packets and bytes counters from [Linux IP sets][ipsets]
using the `ipset` command line tool.

> [!NOTE]
> IP sets created without the "counters" option are ignored.

⭐ Telegraf v1.6.0
🏷️ network, system
💻 linux

[ipsets]: https://ipset.netfilter.org/

## Global configuration options <!-- @/docs/includes/plugin_config.md -->

In addition to the plugin-specific configuration settings, plugins support
additional global and plugin configuration settings. These settings are used to
modify metrics, tags, and field or create aliases and configure ordering, etc.
See the [CONFIGURATION.md][CONFIGURATION.md] for more details.

[CONFIGURATION.md]: ../../../docs/CONFIGURATION.md#plugins

## Configuration

```toml @sample.conf
# Gather packets and bytes counters from Linux ipsets
  [[inputs.ipset]]
    ## By default, we only show sets which have already matched at least 1 packet.
    ## set include_unmatched_sets = true to gather them all.
    # include_unmatched_sets = false

    ## Adjust your sudo settings appropriately if using this option ("sudo ipset save")
    ## You can avoid using sudo or root, by setting appropriate privileges for
    ## the telegraf.service systemd service.
    # use_sudo = false

    ## Add number of entries and number of individual IPs (resolve CIDR syntax) for each ipset
    # count_per_ip_entries = false

    ## The default timeout of 1s for ipset execution can be overridden here:
    # timeout = "1s"
```

### Permissions

There are 3 ways to grant telegraf the right to run ipset:

- Run as root (strongly discouraged)
- Use sudo
- Configure systemd to run telegraf with CAP_NET_ADMIN and CAP_NET_RAW
  capabilities

#### Using sudo

To use sudo set the `use_sudo` option to `true` and update your sudoers file:

```bash
$ visudo
# Add the following line:
Cmnd_Alias IPSETSAVE = /sbin/ipset save
telegraf  ALL=(root) NOPASSWD: IPSETSAVE
Defaults!IPSETSAVE !logfile, !syslog, !pam_session
```

#### Using systemd capabilities

You may run `systemctl edit telegraf.service` and add the following:

```text
[Service]
CapabilityBoundingSet=CAP_NET_RAW CAP_NET_ADMIN
AmbientCapabilities=CAP_NET_RAW CAP_NET_ADMIN
```

## Metrics

- ipset
  - tags:
    - rule
    - set
  - fields:
    - timeout
    - packets
    - bytes

- ipset (for `count_per_ip_entries = true`)
  - tags:
    - set
  - fields:
    - entries
    - ips

## Example Output

```sh
$ sudo ipset save
create myset hash:net family inet hashsize 1024 maxelem 65536 counters comment
add myset 10.69.152.1 packets 8 bytes 672 comment "machine A"
```

```text
ipset,rule=10.69.152.1,host=trashme,set=myset bytes_total=8i,packets_total=672i 1507615028000000000
```
Adding upstream version 1.34.4. Signed-off-by: Daniel Baumann <daniel@debian.org> 2025-05-24 07:26:29 +02:00			`# Ipset Input Plugin`

			`This plugin gathers packets and bytes counters from [Linux IP sets][ipsets]`
			using the `ipset` command line tool.

			`> [!NOTE]`
			`> IP sets created without the "counters" option are ignored.`

			`⭐ Telegraf v1.6.0`
			`🏷️ network, system`
			`💻 linux`

			`[ipsets]: https://ipset.netfilter.org/`

			`## Global configuration options <!-- @/docs/includes/plugin_config.md -->`

			`In addition to the plugin-specific configuration settings, plugins support`
			`additional global and plugin configuration settings. These settings are used to`
			`modify metrics, tags, and field or create aliases and configure ordering, etc.`
			`See the [CONFIGURATION.md][CONFIGURATION.md] for more details.`

			`[CONFIGURATION.md]: ../../../docs/CONFIGURATION.md#plugins`

			`## Configuration`

			```toml @sample.conf
			`# Gather packets and bytes counters from Linux ipsets`
			`[[inputs.ipset]]`
			`## By default, we only show sets which have already matched at least 1 packet.`
			`## set include_unmatched_sets = true to gather them all.`
			`# include_unmatched_sets = false`

			`## Adjust your sudo settings appropriately if using this option ("sudo ipset save")`
			`## You can avoid using sudo or root, by setting appropriate privileges for`
			`## the telegraf.service systemd service.`
			`# use_sudo = false`

			`## Add number of entries and number of individual IPs (resolve CIDR syntax) for each ipset`
			`# count_per_ip_entries = false`

			`## The default timeout of 1s for ipset execution can be overridden here:`
			`# timeout = "1s"`
			```

			`### Permissions`

			`There are 3 ways to grant telegraf the right to run ipset:`

			`- Run as root (strongly discouraged)`
			`- Use sudo`
			`- Configure systemd to run telegraf with CAP_NET_ADMIN and CAP_NET_RAW`
			`capabilities`

			`#### Using sudo`

			To use sudo set the `use_sudo` option to `true` and update your sudoers file:

			```bash
			`$ visudo`
			`# Add the following line:`
			`Cmnd_Alias IPSETSAVE = /sbin/ipset save`
			`telegraf ALL=(root) NOPASSWD: IPSETSAVE`
			`Defaults!IPSETSAVE !logfile, !syslog, !pam_session`
			```

			`#### Using systemd capabilities`

			You may run `systemctl edit telegraf.service` and add the following:

			```text
			`[Service]`
			`CapabilityBoundingSet=CAP_NET_RAW CAP_NET_ADMIN`
			`AmbientCapabilities=CAP_NET_RAW CAP_NET_ADMIN`
			```

			`## Metrics`

			`- ipset`
			`- tags:`
			`- rule`
			`- set`
			`- fields:`
			`- timeout`
			`- packets`
			`- bytes`

			- ipset (for `count_per_ip_entries = true`)
			`- tags:`
			`- set`
			`- fields:`
			`- entries`
			`- ips`

			`## Example Output`

			```sh
			`$ sudo ipset save`
			`create myset hash:net family inet hashsize 1024 maxelem 65536 counters comment`
			`add myset 10.69.152.1 packets 8 bytes 672 comment "machine A"`
			```

			```text
			`ipset,rule=10.69.152.1,host=trashme,set=myset bytes_total=8i,packets_total=672i 1507615028000000000`
			```