Is it possible that your EX/VC is presenting a particular source address to the syslog server?
For example, I have a switch setup to send syslog to a FreeBSD box running syslog-ng. The nature of the switch's connectivity was such that the IP address/hostname that I told the syslog server to expect from the switch was different than what the switch was actually presenting.
So my syslog server was expecting something like '192.168.1.1' or 'blue' and the switch syslog traffic was actually appearing to come from '192.168.2.1' so the net result was that nothing was actually logged.
I fixed this via something like this on the switch:
syslog {
user * {
any emergency;
}
host 172.30.0.14 {
any any;
}
file messages {
any notice;
authorization info;
}
file interactive-commands {
interactive-commands any;
}
source-address 192.168.249.1;
}
Where my syslog server is '172.30.0.14' and the switch will send syslog traffic as originating from '192.168.1.1'
Any firewalls or anything between the switch VC and syslog server?
If the syslog system is Unix can you run tcpdump, snoop, etc or Wireshark if Windows to verify that the syslog packets are actually coming in to the syslog server from this VC/switch?