How to apply grok to logs from syslog in telegraf?

Question

In my current setup I am using Telegraf to ingest nginx logs from syslog and spit them out into influxdb. This works great.

Telegraf has support for grok log parsing. As far as I can tell it can be invoked for [[inputs.file]] and for [[processors.parser]].

How can I configure telegraf to parse the message part of each incomming log statement from [[inputs.syslog]] with grok?

I tried the following configuratiopn, but it does not work. I get no errors or messages from telegraf at all and there is no change in the output:

# [...] Boilerplate omitted for brevity

# Accept input from syslog
[[inputs.syslog]]
   server = "tcp://:2010"

# Send metrics to InfluxDB
[[outputs.influxdb]]
  urls = ["http://our_influx.com"]
  username = "admin"
  password = "admin"

# Process logs with grok
[[processors.parser]]
  parse_fields = ["message"]
  drop_original = true
  merge = "override"
  data_format = "grok"
  grok_patterns = ["%{COMBINED_LOG_FORMAT}"]

In my case, it was a permissions issue. I was running telegraf as a systemd service, and it didn't have access to /var/log. I fixed it by making sure the User and Group fields were set in the service file and setting the appropriate permissions — Kurtoid, Apr 20 '23 at 18:18

How to apply grok to logs from syslog in telegraf?

0 Answers0