Your firewall probably does not use rfc3164 properly and albeit syslog-ng does have a few heuristics to deal with differences, your fw may just get parsed incorrectly.

You might want to disable parsing using flags(no-parse) and then deal with it accordingly.

No-parse will put the entire message with headers to $MSG, which then can be broken down by various syslog-ng parsers, like the date-parser or regexp based ones.

On Jun 18, 2017 02:40, "Andrew" <toranagtrx@gmail.com> wrote:

I looked into it further and the firewall is sending the year in the message, I thought that it wasn't but it was getting chopped off in the json output.

I rectified it by using ${MSGHDR}${MSG} in my template which now gives me the full timestamp in the message which is mainly what I needed. 

I will look into the date-parser thanks for the info. 

On Sun, Jun 18, 2017 at 7:14 AM, Fabien Wernli <wernli@in2p3.fr> wrote:

Hi Andrew,

If you have a recent enough syslog-ng version, you can use the date-parser
to parse your date. Otherwise, I guess you could use the current year $YEAR
and add it to the message using a rewrite rule.

Cheers

______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.balabit.com/wiki/syslog-ng-faq

______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.balabit.com/wiki/syslog-ng-faq

______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.balabit.com/wiki/syslog-ng-faq