Courseiva
SystemCCNA 200-301

Syslog Messages Not Reaching External Server

Presenting Symptom

Syslog messages generated by the router are not appearing on the external syslog server, although the server is reachable via ping.

Network Context

A small branch office with a Cisco 4321 router (IOS XE 16.9) connected to an external syslog server at 192.168.1.100 via a WAN link. The router is configured to send syslog messages to the server, but the server receives no logs. The network has a single LAN segment and a default route pointing to the ISP.

Diagnostic Steps

1

Verify syslog configuration on the router

show running-config | include logging
logging host 192.168.1.100
logging trap debugging
logging source-interface GigabitEthernet0/0/0

Check if logging host is configured correctly. Ensure the IP address is correct and that logging trap level is set appropriately (e.g., debugging for all messages). Also verify logging source-interface is set to an interface that can reach the server.

2

Check connectivity to the syslog server

ping 192.168.1.100 source GigabitEthernet0/0/0
!!!!!
Success rate is 100 percent (5/5)

If ping fails, there is a network connectivity issue. If ping succeeds, the problem is likely with syslog configuration or the server itself.

3

Verify that syslog messages are being generated and buffered locally

show logging
Syslog logging: enabled (0 messages dropped, 0 messages rate-limited, 0 flushes, 0 overruns, xml disabled, small buffer)
    Console logging: disabled
    Monitor logging: disabled
    Buffer logging: level debugging, 100 messages logged
    Logging to: 192.168.1.100 (udp port 514, audit disabled, link up)
             0 messages logged, 0 message rate-limited

Check if messages are being logged to the buffer. If buffer shows messages but the line for the server shows '0 messages logged', the router is not sending them. Also check if the link status is 'up'.

4

Check for ACLs blocking UDP port 514

show access-lists
Extended IP access list 100
    10 permit udp any any eq syslog (0 matches)
    20 deny ip any any (0 matches)

If an ACL is applied to the outbound interface, ensure it permits UDP port 514 (syslog). Look for matches on permit lines; if no matches, the traffic might be denied by an implicit deny.

5

Verify the syslog server is listening on UDP 514

telnet 192.168.1.100 514
Trying 192.168.1.100, 514 ...
% Connection refused by remote host

If connection is refused, the server may not be running a syslog daemon or may have a firewall blocking the port. A successful telnet would indicate the port is open (though syslog uses UDP, telnet uses TCP; this test only checks if the server is reachable on that port, but not a definitive test for UDP). Alternatively, use a UDP test tool.

Root Cause

The syslog server is not running a syslog daemon or has a firewall blocking inbound UDP port 514. The router configuration is correct, and connectivity exists, but the server is not listening for syslog messages.

Resolution

1. On the syslog server, start the syslog daemon (e.g., on Linux: sudo systemctl start rsyslog; on Windows: enable syslog service). 2. Ensure the server firewall allows inbound UDP port 514. 3. Optionally, on the router, verify logging is enabled: 'logging on'. 4. If the server IP or port is incorrect, reconfigure: 'no logging host 192.168.1.100' then 'logging host 192.168.1.100'.

Verification

Run 'show logging' on the router. Expected output: 'Logging to: 192.168.1.100 (udp port 514, audit disabled, link up) 5 messages logged, 0 message rate-limited'. Also check the syslog server for received messages.

Prevention

1. Always verify syslog server readiness before configuring logging on network devices. 2. Use a consistent logging source interface and ensure reachability. 3. Implement monitoring to alert if syslog messages stop being received.

CCNA Exam Relevance

On the CCNA 200-301 exam, syslog troubleshooting appears in multiple-choice questions and simulation labs. The exam tests understanding of syslog severity levels, logging configuration commands, and the ability to interpret 'show logging' output to identify why messages are not being sent.

Exam Tips

1.

Remember that syslog uses UDP port 514 by default; the server must be listening on that port.

2.

The 'logging trap' command sets the severity level; messages below that level are not sent.

3.

Use 'show logging' to see if messages are being buffered locally and if the server is reachable (link up/down).

Commands Used in This Scenario

ping [ip]

The ping command sends ICMP echo requests to a destination IP address to test network connectivity and measure round-trip time.

show logging

Displays the state of system logging (syslog) on the device, including buffer contents, logging configuration, and statistics, used for troubleshooting and monitoring system events.

show running-config

Displays the current active configuration in DRAM, showing all non-default settings.

Test Your CCNA Knowledge

Practice with scenario-based questions to prepare for the CCNA 200-301 exam.

Practice CCNA Questions