diff --git a/CHANGELOG.asciidoc b/CHANGELOG.asciidoc
index 3da2b9c4fcc7..2db3ce63100b 100644
--- a/CHANGELOG.asciidoc
+++ b/CHANGELOG.asciidoc
@@ -20,6 +20,7 @@ https://github.com/elastic/beats/compare/v7.5.0...v7.5.1[View commits]
 - Change iis url path grok pattern from URIPATH to NOTSPACE. {issue}12710[12710] {pull}13225[13225] {issue}7951[7951] {pull}13378[13378] {pull}14754[14754]
 - Fix azure filesets test files. {issue}14185[14185] {pull}14235[14235]
 - Update Logstash module's Grok patterns to support Logstash 7.4 logs. {pull}14743[14743]
+- Allow for leading 0 in syslog day format as per {issue}16824[16824]
 
 *Metricbeat*
 
diff --git a/filebeat/input/syslog/syslog_rfc3164.rl b/filebeat/input/syslog/syslog_rfc3164.rl
index e16b9da35da4..bd1a5ba11a7c 100644
--- a/filebeat/input/syslog/syslog_rfc3164.rl
+++ b/filebeat/input/syslog/syslog_rfc3164.rl
@@ -19,7 +19,9 @@
   # Match: " 5" and "10" as the day
   multiple_digits_day = (([12][0-9]) | ("3"[01]))>tok %day;
   single_digit_day = [1-9]>tok %day;
-  day = (space? single_digit_day | multiple_digits_day);
+  # Support 'Aug 07' format for misinterpretations of rfc
+  supported_multiple_digits_day = [0][0-9]>tok %day;
+  day = (space? single_digit_day | multiple_digits_day | supported_multiple_digits_day);
 
   # Match: hh:mm:ss (24 hr format)
   hour = ([01][0-9]|"2"[0-3])>tok %hour;