Security console log ingestion vs. permissions on the logfiles

I am stuck on a rather basic problem. A side-effect of having to run InsightVM as root (bad practice), is that the logiles /opt/rapid7/nexpose/nsc/logs/ are written with -rw------- root:root

We want to ingest the logs to our SIEM, but we cannot have this done by a root user.

We tried a manual chown/chmod on the directory, but it is overwritten after each console reboot.

Any ideas?