---
title: Telegraf Controller configuration options
description: Telegraf Controller lets you customize startup behavior using command-line flags, environment variables, or a .env file.
url: https://docs.influxdata.com/telegraf/controller/reference/config-options/
estimated_tokens: 5631
product: Telegraf
version: v1
---

# Telegraf Controller configuration options

#### Telegraf Controller is in Public Beta

Telegraf Controller is in public beta and will be part of the future Telegraf Enterprise offering. While in beta, Telegraf Controller is **not meant for production use**. The Telegraf Controller documentation is a work in progress, and we are actively working to improve it. If you have any questions or suggestions, please [submit an issue](https://github.com/influxdata/docs-v2/issues/new?labels=Telegraf%20Controller). We welcome any and all contributions.

Beta expectations

-   **No configuration or agent limits**  
    While in beta, Telegraf Controller doesn't place any limits on the number of configurations you can store or the number of Telegraf agents you can track. However, upon being generally available, the free distribution of Telegraf Controller will have limits introduced, with the option to increase limits through a Telegraf Enterprise license.
-   **Potential breaking changes**  
    While in beta, we will do our best to no longer make breaking changes to Telegraf Controller, however, they may be necessary. The majority of changes we make will be additive and non-breaking, and include any necessary migrations. When we do need to make breaking changes, we will do our best to communicate them clearly and in advance to minimize disruption.
-   **Flexible release schedule**  
    While in beta, we will continue to create new releases of Telegraf Controller, but likely at irregular intervals. We will provide [Telegraf Controller release notes](/telegraf/controller/reference/release-notes/) to make it easy to track updates.

Provide beta feedback

-   Use the **Feedback** feature in the Telegraf Controller UI.
-   [Join the InfluxDB Community Slack](https://influxdata.com/slack) and post feedback in the **#telegraf-enterprise-alpha** channel.
-   Post feedback in the [InfluxData Community](https://community.influxdata.com).

Join our public channels

-   [InfluxDB Community Slack *(Preferred)*](https://influxdata.com/slack)
-   [InfluxData Community](https://community.influxdata.com)
-   [InfluxDB Subreddit](https://reddit.com/r/influxdb)

Telegraf Controller accepts configuration through environment variables and, in many cases, equivalent command-line flags. You can also load environment variables from a `.env` file in the working directory where you start Telegraf Controller.

-   [Configure Telegraf Controller](#configure-telegraf-controller)
-   [Configuration options](#configuration-options)

## Configure Telegraf Controller

Pass configuration options using command-line flags or environment variables. **Command-line flags take precedence over environment variables.**

### Use a `.env` file

Telegraf Controller loads environment variables from a `.env` file in the working directory where you start the application. Use a `.env` file to keep sensitive values out of shell history and to share configuration across processes.

```bash
# .env
APP_PORT=3000
HEARTBEAT_PORT=9000
DATABASE_URL=postgresql://user:password@localhost:5432/telegraf_controller
TELEGRAF_CONTROLLER_EULA=accept
```

### Example: command flags

```bash
telegraf_controller \
  --port=3000 \
  --heartbeat-port=9000 \
  --database="postgresql://user:password@localhost:5432/telegraf_controller" \
  --eula-accept \
  --no-interactive
```

### Example: environment variables

```bash
export APP_PORT=3000
export HEARTBEAT_PORT=9000
export DATABASE_URL="postgresql://user:password@localhost:5432/telegraf_controller"
export TELEGRAF_CONTROLLER_EULA=accept

telegraf_controller --no-interactive
```

## Configuration options

-   [General](#general)
    -   [port](#port)
    -   [heartbeat-port](#heartbeat-port)
    -   [database](#database)
-   [TLS](#tls)
    -   [ssl-cert-path](#ssl-cert-path)
    -   [ssl-key-path](#ssl-key-path)
-   [Owner account](#owner-account)
    -   [owner-email](#owner-email)
    -   [owner-username](#owner-username)
    -   [owner-password](#owner-password)
    -   [reset-owner-password](#reset-owner-password)
-   [Authentication and security](#authentication-and-security)
    -   [session-secret](#session-secret)
    -   [login-lockout-attempts](#login-lockout-attempts)
    -   [login-lockout-minutes](#login-lockout-minutes)
    -   [password-complexity](#password-complexity)
    -   [disable-auth-endpoints](#disable-auth-endpoints)
-   [Logging](#logging)
    -   [rust-log](#rust-log)
    -   [logs-dir](#logs-dir)
-   [EULA and setup](#eula-and-setup)
    -   [eula-accept](#eula-accept)
    -   [no-interactive](#no-interactive)

### General

-   [port](#port)
-   [heartbeat-port](#heartbeat-port)
-   [database](#database)

#### port

Web interface and API port.

**Default:** `8888`

| Command flag | Environment variable |
| --- | --- |
| --port | APP_PORT |

#### heartbeat-port

Agent heartbeat service port.

**Default:** `8000`

| Command flag | Environment variable |
| --- | --- |
| --heartbeat-port | HEARTBEAT_PORT |

#### database

Database connection URL or filesystem path. Telegraf Controller supports SQLite and PostgreSQL.

**Default:** `file:./sqlite.db`

```bash
# PostgreSQL
telegraf_controller --database="postgresql://user:password@localhost:5432/telegraf_controller"

# Custom SQLite path
telegraf_controller --database="/path/to/database.db"
```

| Command flag | Environment variable |
| --- | --- |
| --database | DATABASE_URL |

### TLS

-   [ssl-cert-path](#ssl-cert-path)
-   [ssl-key-path](#ssl-key-path)

#### ssl-cert-path

Path to the SSL/TLS certificate file. Required to enable HTTPS for the web interface and API.

| Command flag | Environment variable |
| --- | --- |
| (none) | SSL_CERT_PATH |

#### ssl-key-path

Path to the SSL/TLS private key file. Required to enable HTTPS for the web interface and API.

| Command flag | Environment variable |
| --- | --- |
| (none) | SSL_KEY_PATH |

### Owner account

Use the following options to bootstrap the owner account with non-default values on first startup of Telegraf Controller. The owner account has full administrative access to Telegraf Controller.

-   [owner-email](#owner-email)
-   [owner-username](#owner-username)
-   [owner-password](#owner-password)
-   [reset-owner-password](#reset-owner-password)

#### Bootstrap-only settings

On first startup, Telegraf Controller persists `OWNER_EMAIL`, `OWNER_USERNAME`, and `OWNER_PASSWORD` in the database; the database is the authoritative source thereafter. Changes to these environment variables or CLI flags do not affect the stored values. To change owner account details after bootstrap, use the Telegraf Controller UI or API.

#### owner-email

Email address for the bootstrap owner account.

| Command flag | Environment variable |
| --- | --- |
| --owner-email | OWNER_EMAIL |

#### owner-username

Username for the bootstrap owner account.

| Command flag | Environment variable |
| --- | --- |
| --owner-username | OWNER_USERNAME |

#### owner-password

Password for the bootstrap owner account. Also used as the new password when [`RESET_OWNER_PASSWORD`](#reset-owner-password) forces a password reset.

| Command flag | Environment variable |
| --- | --- |
| --owner-password | OWNER_PASSWORD |

#### reset-owner-password

When set to `true`, forces an owner password reset on the next startup using [`OWNER_PASSWORD`](#owner-password) as the new password.

Use `RESET_OWNER_PASSWORD` only to recover from a forgotten or compromised owner password. Unset the variable after the password has been reset to avoid resetting the password on subsequent restarts.

| Command flag | Environment variable |
| --- | --- |
| (none) | RESET_OWNER_PASSWORD |

### Authentication and security

-   [session-secret](#session-secret)
-   [login-lockout-attempts](#login-lockout-attempts)
-   [login-lockout-minutes](#login-lockout-minutes)
-   [password-complexity](#password-complexity)
-   [disable-auth-endpoints](#disable-auth-endpoints)

#### session-secret

Secret used to encrypt session cookies. Telegraf Controller generates a value automatically if you do not set one. Set an explicit value to keep existing sessions valid across restarts.

**Default:** Generated at startup

| Command flag | Environment variable |
| --- | --- |
| --session-secret | SESSION_SECRET |

#### Bootstrap-only login security settings

On first startup, Telegraf Controller persists `LOGIN_LOCKOUT_ATTEMPTS`, `LOGIN_LOCKOUT_MINUTES`, and `PASSWORD_COMPLEXITY` in the database; the database is the authoritative source thereafter. Changes to these environment variables do not affect the stored values. To change these settings after bootstrap, use the Telegraf Controller UI.

#### login-lockout-attempts

Number of failed login attempts allowed before an account is locked out. Minimum: `1`.

**Default:** `5`

| Command flag | Environment variable |
| --- | --- |
| (none) | LOGIN_LOCKOUT_ATTEMPTS |

#### login-lockout-minutes

Number of minutes a locked-out account remains locked. Minimum: `1`.

**Default:** `15`

| Command flag | Environment variable |
| --- | --- |
| (none) | LOGIN_LOCKOUT_MINUTES |

#### password-complexity

Password complexity level applied to all password operations, including initial setup, password changes, password resets, and invite completion.

| Level | Min length | Uppercase | Lowercase | Digits | Special characters |
| --- | --- | --- | --- | --- | --- |
| low | 8 | No | No | No | No |
| medium | 10 | Yes | Yes | Yes | No |
| high | 12 | Yes | Yes | Yes | Yes |

**Default:** `low`

| Command flag | Environment variable |
| --- | --- |
| (none) | PASSWORD_COMPLEXITY |

#### disable-auth-endpoints

Comma-separated list of API endpoint groups to skip authentication for. Use `"*"` to disable authentication for all endpoint groups.

Valid endpoint groups:

-   `agents`
-   `configs`
-   `labels`
-   `reporting-rules`
-   `heartbeat`

Telegraf Controller reads this value once at startup; the value is immutable at runtime. Anyone with network access to the listed endpoint groups can use them without an API token.

```bash
# Disable authentication on agents and heartbeat only
telegraf_controller --disable-auth-endpoints=agents,heartbeat

# Disable authentication on all endpoint groups
telegraf_controller --disable-auth-endpoints="*"
```

| Command flag | Environment variable |
| --- | --- |
| --disable-auth-endpoints | DISABLED_AUTH_ENDPOINTS |

### Logging

-   [rust-log](#rust-log)
-   [logs-dir](#logs-dir)

#### rust-log

Tracing level for the Rust heartbeat server. Supports `trace`, `debug`, `info`, `warn`, and `error`.

**Default:** `info`

| Command flag | Environment variable |
| --- | --- |
| (none) | RUST_LOG |

#### logs-dir

Absolute path for heartbeat agent logs.

**Default:** System temp directory

| Command flag | Environment variable |
| --- | --- |
| --logs-dir | LOGS_DIR |

### EULA and setup

-   [eula-accept](#eula-accept)
-   [no-interactive](#no-interactive)

#### eula-accept

Accept the [InfluxData End User License Agreement](/telegraf/controller/reference/eula/) non-interactively. The `TELEGRAF_CONTROLLER_EULA` environment variable accepts the value `accept` to indicate acceptance.

| Command flag | Environment variable |
| --- | --- |
| --eula-accept | TELEGRAF_CONTROLLER_EULA |

#### no-interactive

Skip interactive prompts at startup. When `--no-interactive` is set, you must provide owner account values and EULA acceptance through other options.

| Command flag | Environment variable |
| --- | --- |
| --no-interactive | (none) |

#### Related

-   [Install Telegraf Controller](/telegraf/controller/install/)
-   [Manage settings](/telegraf/controller/settings/)
-   [Authorization](/telegraf/controller/reference/authorization/)