Telegraf access to sensitive logs like /var/log/messages

Hi, I run Telegraf process as a none sudoers user name telegraf. Now my question is what is the best way to give access to read /var/log/message or other sensitive log files without giving direct read permission to the entire file(s). I don’t want to grant read permission to /var/log/messages directly for telegraf user since its a security risk. I was thinking about filtering out the messages that I want from these files and write them to another file and then grant read access to that file for telegraf user, I am not sure how to filter the logs at this point, maybe rsyslog or similar. I want to see how other people solve this problem and what are the best practices around it. Thank you.