Keep-timestamp only affects the time and not the formatting.

Syslog-ng can format your timestanp in a number of ways, your example seems ti indicate that you are using the syslog() destination, which uses rfc5424 formatting wheras you might want the tcp() driver which uses the legacy rfc3164.

The latter uses the format you want, although that does not include year information.

On Dec 7, 2016 22:49, "David Campeau" <David.Campeau@tn.gov> wrote:

Hello,

Using a syslog-ng sever to filter syslogs before forwarding. I’m being asked to not change the timestamp in the syslog message. I’ve tried the “keep-timestamp(yes);” option in the syslog-ng.conf, but there’s no change in the timestamp. There must be an option I’m missing?

Example of the change:

Dec 07 15:08:57 <<<< Not filtered by syslog-ng

1 2016-12-07T15:07:32-06:00 <<< Filtering currently with syslog-ng

Thank you for looking

Best Regards,

David

______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.balabit.com/wiki/syslog-ng-faq