In my current setup I am using Telegraf to ingest nginx logs from syslog and spit them out into influxdb. This works great.
Telegraf has support for grok log parsing. As far as I can tell it can be invoked for [[inputs.file]] and for [[processors.parser]].
How can I configure telegraf to parse the message part of each incomming log statement from [[inputs.syslog]] with grok?
I tried the following configuratiopn, but it does not work. I get no errors or messages from telegraf at all and there is no change in the output:
# [...] Boilerplate omitted for brevity
# Accept input from syslog
[[inputs.syslog]]
server = "tcp://:2010"
# Send metrics to InfluxDB
[[outputs.influxdb]]
urls = ["http://our_influx.com"]
username = "admin"
password = "admin"
# Process logs with grok
[[processors.parser]]
parse_fields = ["message"]
drop_original = true
merge = "override"
data_format = "grok"
grok_patterns = ["%{COMBINED_LOG_FORMAT}"]
