Cisco Support Community
Community Member

Can't get syslog messages from Remote SA520 over VPN

I'm trying to set up a central logging server on a debian system running rsyslog.

The syslog server is local & I have a branch office connected via a VPN. Both buildings have SA520 routers.

I have set up both firewalls to allow ANY from each network 192.168.150.X & 19.168.160.X

(also tried to add a rule for UDP514 but that didn't help)

The debian system is new & has no iptables set up

I've entered the syslog server IP in remote logging.

I've set up facilities in Send to syslog for both routers.

I am logging messages from the local router but don't see anything from the remote.

I've checked with wireshark & see no syslog packages from the remote (I do see SSL negotiation & others when using the web admin and of course the functioning vpn)

I rebooted the router to see if that mae a difference but no luck.

Any ideas why I can't get the syslog traffic across the VPN?

Community Member

Can't get syslog messages from Remote SA520 over VPN

Hi Webmasterk, thank you for using our forum, my name is Luis I am part of the Small business Support community. Let me review some steps in order to make an idea of your configuration, below you will see a document with some steps, please check that information with your configuration. If you have any question, please let me know.

Remote Logging on SA540 Security Appliance

I hope you find this answer useful


Luis Arias.

Cisco Network Support Engineer.

Community Member

Re: Can't get syslog messages from Remote SA520 over VPN

I do have the correct IP address of the syslog server set up. I do not want email logs so have not enabled that.

My setup is

remote lan > SA520-remote ( > [ site to site IPSec VPN over WAN ] > SA520-local ( > syslog server ( & local lan

Firewall is set up to allow ANY IN & OUT to local lan on both routers.

I have also set up specific rules for UDP 514 Syslog traffic (no difference, currently disabled)

syslog server has -no- firewall at the moment.

Syslog server is receiving messages from the local router with no issues.

Log Severity is set to Information &  Log Facility is set up to send to Syslog.

I have also setup a SNMP trap on the syslog server & pointed the remote router to it in hopes of diagnosing the issue.

Both routers have the latest firmware applied.

Using wireshark on the syslog server I see no traffic on UDP 514 (syslog) or UDP 162 (snmp)

I can use the WUI for the remote & ping the 160.1 with no problem. Both ping & TLS/TCP traffic show up in wireshark on the syslog server when I do so.

It looks to me like there is a problem routing the syslog messages out of the router & then back through the VPN.

Worst case I'll set up another syslog server on an old machine at the remote location & then cron the logs to the central syslog server but it really seems I shouldn't have to.

CreatePlease to create content