diff --git a/README.md b/README.md
index 491fb36..ef9cfa5 100644
--- a/README.md
+++ b/README.md
@@ -42,7 +42,8 @@ with built-in log rotation.
 
 `socklog-overlay` works by reading in a series of `s6-log` logging scripts from
 `/etc/socklog.rules`. You can create your own rules by placing a file in
-`/etc/socklog.rules`.
+`/etc/socklog.rules`. Each directive (selection directive, control directive,
+or action directive) for the logging script should be on its own line.
 
 For example, if you wanted to save all errors for messages tagged with the
 "local0" facility, you could create the file `/etc/socklog.rules/local0-error`
@@ -79,7 +80,15 @@ Create a script in `/etc/cont-init.d` to make your needed logging folder,
 if it's a subfolder of `/var/log/socklog`, you should be covered. If not,
 you'll likely need to chown it as well, to the `nobody` user.
 
-Ideas I'd like to flesh out:
+### Environment variables
+
+* `SOCKLOG_TIMESTAMP_FORMAT` - controls how (or if) a timestamp should be placed
+before every line, defaults to `T`
+  * (empty) - do not insert timestamps into logs
+  * `T` - prepend every line with an ISO 8601 timestamp
+  * `t` - prepend every line with a TAI64N timestamp
+
+## Ideas I'd like to flesh out:
 
 * Setting an environment variable to specify number of files, size, etc
   * Right now this is just using the `s6-log` defaults - 10 files, ~100k per file
diff --git a/overlay-rootfs/etc/cont-init.d/~-socklog b/overlay-rootfs/etc/cont-init.d/~-socklog
index f40ad8f..8b503c7 100755
--- a/overlay-rootfs/etc/cont-init.d/~-socklog
+++ b/overlay-rootfs/etc/cont-init.d/~-socklog
@@ -1,5 +1,27 @@
 #!/usr/bin/execlineb
 
+backtick -D "T" -n SOCKLOG_TIMESTAMP_FORMAT { printcontenv SOCKLOG_TIMESTAMP_FORMAT }
+importas -u SOCKLOG_TIMESTAMP_FORMAT SOCKLOG_TIMESTAMP_FORMAT
+
+# make sure SOCKLOG_TIMESTAMP_FORMAT is acceptable
+if
+{
+  ifelse { s6-test -n "${SOCKLOG_TIMESTAMP_FORMAT}" }
+  {
+      ifelse { s6-test "${SOCKLOG_TIMESTAMP_FORMAT}" != "T" }
+      {
+        ifelse { s6-test "${SOCKLOG_TIMESTAMP_FORMAT}" != "t" }
+        {
+            redirfd -wb 1 /var/run/s6/container_environment/SOCKLOG_TIMESTAMP_FORMAT
+            s6-echo -n -- T
+        }
+        exit 0
+      }
+      exit 0
+  }
+  exit 0
+}
+
 if { s6-mkdir -p -m 0750 /var/log/socklog/cron }
 if { s6-mkdir -p -m 0750 /var/log/socklog/daemon }
 if { s6-mkdir -p -m 0750 /var/log/socklog/debug }
diff --git a/overlay-rootfs/etc/services.d/socklog/log/run b/overlay-rootfs/etc/services.d/socklog/log/run
index 5271d78..c9d4eaa 100755
--- a/overlay-rootfs/etc/services.d/socklog/log/run
+++ b/overlay-rootfs/etc/services.d/socklog/log/run
@@ -1,5 +1,7 @@
 #!/usr/bin/execlineb -P
 
+backtick -D "T" -n SOCKLOG_TIMESTAMP_FORMAT { printcontenv SOCKLOG_TIMESTAMP_FORMAT }
+
 backtick -i -n LOGGING_SCRIPT
 {
   pipeline { pipeline { s6-ls -0 -- /etc/socklog.rules } s6-sort -0 }
@@ -11,7 +13,9 @@ backtick -i -n LOGGING_SCRIPT
   } s6-echo
 }
 
-importas -C -u -s LOGGING_SCRIPT LOGGING_SCRIPT
+importas -C -u -s -d"\r\n" LOGGING_SCRIPT LOGGING_SCRIPT
+importas -C -u -s -d"\r\n" SOCKLOG_TIMESTAMP_FORMAT SOCKLOG_TIMESTAMP_FORMAT
 
 s6-setuidgid nobody
 s6-log -bp $LOGGING_SCRIPT
+
diff --git a/overlay-rootfs/etc/socklog.rules/~-cron b/overlay-rootfs/etc/socklog.rules/~-cron
index cce07de..f4f0ce7 100644
--- a/overlay-rootfs/etc/socklog.rules/~-cron
+++ b/overlay-rootfs/etc/socklog.rules/~-cron
@@ -1,4 +1,4 @@
 -
 +^cron\.
-T
+${SOCKLOG_TIMESTAMP_FORMAT}
 /var/log/socklog/cron
diff --git a/overlay-rootfs/etc/socklog.rules/~-daemon b/overlay-rootfs/etc/socklog.rules/~-daemon
index 9a6660f..a1fa805 100644
--- a/overlay-rootfs/etc/socklog.rules/~-daemon
+++ b/overlay-rootfs/etc/socklog.rules/~-daemon
@@ -1,4 +1,4 @@
 -
 +^daemon\.
-T
+${SOCKLOG_TIMESTAMP_FORMAT}
 /var/log/socklog/daemon
diff --git a/overlay-rootfs/etc/socklog.rules/~-debug b/overlay-rootfs/etc/socklog.rules/~-debug
index 9ee6170..17e3cb8 100644
--- a/overlay-rootfs/etc/socklog.rules/~-debug
+++ b/overlay-rootfs/etc/socklog.rules/~-debug
@@ -1,3 +1,4 @@
 -
 +^\.debug:
+${SOCKLOG_TIMESTAMP_FORMAT}
 /var/log/socklog/debug
diff --git a/overlay-rootfs/etc/socklog.rules/~-errors b/overlay-rootfs/etc/socklog.rules/~-errors
index 02e458e..fc12747 100644
--- a/overlay-rootfs/etc/socklog.rules/~-errors
+++ b/overlay-rootfs/etc/socklog.rules/~-errors
@@ -4,5 +4,5 @@
 +\.emerg:
 +\.alert:
 +\.crit:
-T
+${SOCKLOG_TIMESTAMP_FORMAT}
 /var/log/socklog/errors
diff --git a/overlay-rootfs/etc/socklog.rules/~-everything b/overlay-rootfs/etc/socklog.rules/~-everything
index 74e2721..bbab1e1 100644
--- a/overlay-rootfs/etc/socklog.rules/~-everything
+++ b/overlay-rootfs/etc/socklog.rules/~-everything
@@ -1,5 +1,5 @@
 +
 -auth\.
 -authpriv\.
-T
+${SOCKLOG_TIMESTAMP_FORMAT}
 /var/log/socklog/everything
diff --git a/overlay-rootfs/etc/socklog.rules/~-kernel b/overlay-rootfs/etc/socklog.rules/~-kernel
index d8ecc89..64d4e2e 100644
--- a/overlay-rootfs/etc/socklog.rules/~-kernel
+++ b/overlay-rootfs/etc/socklog.rules/~-kernel
@@ -1,4 +1,4 @@
 -
 +^kern\.
-T
+${SOCKLOG_TIMESTAMP_FORMAT}
 /var/log/socklog/kernel
diff --git a/overlay-rootfs/etc/socklog.rules/~-mail b/overlay-rootfs/etc/socklog.rules/~-mail
index be5efdc..8cd4540 100644
--- a/overlay-rootfs/etc/socklog.rules/~-mail
+++ b/overlay-rootfs/etc/socklog.rules/~-mail
@@ -1,4 +1,4 @@
 -
 +^mail\.
-T
+${SOCKLOG_TIMESTAMP_FORMAT}
 /var/log/socklog/mail
diff --git a/overlay-rootfs/etc/socklog.rules/~-messages b/overlay-rootfs/etc/socklog.rules/~-messages
index d604205..65dfe67 100644
--- a/overlay-rootfs/etc/socklog.rules/~-messages
+++ b/overlay-rootfs/etc/socklog.rules/~-messages
@@ -7,5 +7,5 @@
 -^mail\.
 -^news\.
 -^cron\.
-T
+${SOCKLOG_TIMESTAMP_FORMAT}
 /var/log/socklog/messages
diff --git a/overlay-rootfs/etc/socklog.rules/~-secure b/overlay-rootfs/etc/socklog.rules/~-secure
index 8832faf..d73da4b 100644
--- a/overlay-rootfs/etc/socklog.rules/~-secure
+++ b/overlay-rootfs/etc/socklog.rules/~-secure
@@ -1,5 +1,5 @@
 -
 +^auth\.
 +^authpriv\.
-T
+${SOCKLOG_TIMESTAMP_FORMAT}
 /var/log/socklog/secure
diff --git a/overlay-rootfs/etc/socklog.rules/~-user b/overlay-rootfs/etc/socklog.rules/~-user
index b54f8af..0234907 100644
--- a/overlay-rootfs/etc/socklog.rules/~-user
+++ b/overlay-rootfs/etc/socklog.rules/~-user
@@ -1,4 +1,4 @@
 -
 +^user\.
-T
+${SOCKLOG_TIMESTAMP_FORMAT}
 /var/log/socklog/user