The service field in conn.log (and in those summary reports) is the result of Bro's dynamic protocol detection (DPD). One of Bro's protocol analyzers has confirmed that the traffic seen is that protocol.
If you look in conn.log, you should be able to see if the 514 traffic is TCP or UDP. Bro doesn't have a TCP syslog analyzer right now. If it's UDP, something is sending malformed syslog.