Describe the bug
Log entries coming from FreeBSD syslogd appear mangled with hostname containing what should be the app_name. For example:
{
"_msg": "disconnect from 192.168.178.11 port 23755:11: disconnected by user",
"_stream": "{app_name=\"Received\",hostname=\"sshd-session[14308]:\"}",
"_stream_id": "0000000000000000dd022e09e0811571f98ea457f2e8597c",
"_time": "2025-08-08T23:32:15Z",
"app_name": "Received",
"facility": "4",
"facility_keyword": "auth",
"format": "rfc3164",
"hostname": "sshd-session[14308]:",
"level": "info",
"priority": "38",
"severity": "6"
}
To Reproduce
On a FreeBSD system, putting: *.* @loghost on /etc/syslog.conf where loghost resolves to the system running victoria-logs in /etc/hosts. syslogd_flags on the FreeBSD system was just -s. To reproduce on a single system, that doesn't stop syslogd from binding on UDP port 514. So either be sure to run victoria-logs first or use -b 127.0.0.1 to restrict it to localhost. sockstat can be run to verify.
Version
victoria-logs-19791130-000000-tags-v1.24.0-victorialogs
Logs
Nothing of consequence in victoria_logs.log
Screenshots
No response
Used command-line flags
--storageDataPath=/var/db/victoria-logs --retentionPeriod=1 --httpListenAddr=:9428 -syslog.listenAddr.udp=192.168.178.20:514 -syslog.timezone=Europe/Berlin
Additional information
Forcing FreeBSD's syslog to use RFC5424 format is a workaround that does the job (by adding -O rfc5424 to syslogd_flags in /etc/rc.conf) and that's what I've done for now. But it'd be good if things work out-of-the-box for other FreeBSD users and I would prefer the more compact format when I do go looking in /var/log/messages.
I did isolate your Go code that parses log lines and try feeding it the corresponding log lines from /var/log/messages and it parsed them without problem. So I assume there is some detail in what FreeBSD's syslog is sending in the UDP datagram that differs from the actual log entry.
I did also test from an OpenBSD system and that had no issues.
Describe the bug
Log entries coming from FreeBSD syslogd appear mangled with
hostnamecontaining what should be theapp_name. For example:To Reproduce
On a FreeBSD system, putting:
*.* @loghoston/etc/syslog.confwhere loghost resolves to the system running victoria-logs in/etc/hosts.syslogd_flagson the FreeBSD system was just-s. To reproduce on a single system, that doesn't stop syslogd from binding on UDP port 514. So either be sure to run victoria-logs first or use-b 127.0.0.1to restrict it to localhost.sockstatcan be run to verify.Version
victoria-logs-19791130-000000-tags-v1.24.0-victorialogs
Logs
Nothing of consequence in
victoria_logs.logScreenshots
No response
Used command-line flags
--storageDataPath=/var/db/victoria-logs --retentionPeriod=1 --httpListenAddr=:9428 -syslog.listenAddr.udp=192.168.178.20:514 -syslog.timezone=Europe/Berlin
Additional information
Forcing FreeBSD's syslog to use RFC5424 format is a workaround that does the job (by adding
-O rfc5424tosyslogd_flagsin/etc/rc.conf) and that's what I've done for now. But it'd be good if things work out-of-the-box for other FreeBSD users and I would prefer the more compact format when I do go looking in/var/log/messages.I did isolate your Go code that parses log lines and try feeding it the corresponding log lines from
/var/log/messagesand it parsed them without problem. So I assume there is some detail in what FreeBSD's syslog is sending in the UDP datagram that differs from the actual log entry.I did also test from an OpenBSD system and that had no issues.