Syslog Logging Levels (Severity 0–7) - Complete Guide

1. What is Syslog?

Syslog is a standard logging protocol used by network devices (routers, switches, servers) to send event messages to a centralized log server (called a Syslog server).

Purpose:

Centralized log collection and analysis
Severity-based filtering for prioritization
Security auditing and compliance tracking

2. Syslog Severity Levels (0–7)

Syslog categorizes logs into eight severity levels, from 0 (most severe) to 7 (least severe):

Level	Name	Meaning	Example
0	Emergency (emerg)	System unusable	Router crash, kernel panic
1	Alert	Immediate action required	Disk full, power supply failure
2	Critical (crit)	Critical condition	BGP neighbor down
3	Error (err)	Error condition	Interface drops
4	Warning (warn)	Potential issue	High CPU usage
5	Notice	Significant but normal	User login, config saved
6	Informational	Routine information	Interface up/down
7	Debug	Debugging messages	Routing table updates

Mnemonic: "Every Awesome Cat Eats Whiskas Near Its Dish"

3. Default Logging Level on Devices

Cisco Devices: Default is level 6 (Informational)
Linux (rsyslog): Typically logs level 6 and above into /var/log/messages

4. Configuring Logging Levels

On Cisco Devices:

Router(config)# logging trap warnings      # Logs levels 0–4
Router(config)# logging host 192.168.1.100 # Syslog server IP

On Linux (rsyslog):

# Edit /etc/rsyslog.conf
*.info;mail.none;authpriv.none /var/log/messages

5. Filtering Logs by Severity

Cisco:

Router# show logging | include %CRITICAL

Linux:

grep "error" /var/log/syslog

6. Syslog Message Format

Every Syslog message contains:

Timestamp: e.g., Dec 15 10:30:45
Hostname: e.g., Router1
Facility: e.g., %SYS, %LINEPROTO
Severity: e.g., %CRITICAL
Message: Description of the event

Example:

Dec 15 10:30:45 Router1 %SYS-3-CRITICAL: Temperature threshold exceeded

7. Use Cases for Each Level

Level	When to Use
0 (Emergency)	Complete system failure
1 (Alert)	Immediate system-wide actions
2 (Critical)	Major routing or failover issues
3 (Error)	Connectivity drops, packet loss
4 (Warning)	CPU/memory spikes
5 (Notice)	Config changes, logins
6 (Info)	Interface up/down notifications
7 (Debug)	Packet-level diagnostics

8. Local vs. Remote Syslog

Feature	Local Logging	Remote Syslog
Storage	On-device (RAM or flash)	Central server
Retention	Lost on reboot	Persistent
Use Case	Quick troubleshooting	Audit and compliance

9. Syslog Facility vs. Severity

Term	Purpose	Example
Facility	Categorizes log source	auth, kernel, local0
Severity	Indicates urgency	error, warning

Common Linux Facility Codes:

0 = kernel
1 = user-level
16–23 = local0 to local7 (often used for network equipment)

10. Best Practices

✅ Use appropriate logging level (e.g., level 4 for production)
✅ Always configure remote Syslog for redundancy
✅ Rotate logs regularly (Linux: logrotate)
❌ Avoid logging debug level (7) in production unless troubleshooting

11. Performance Impact

Levels 0–4: Minimal logging impact (rare, critical events)
Levels 5–7: Higher volume, may increase CPU/disk usage

12. Testing & Verification

On Cisco:

Router# debug ip packet       # Generates level 7 logs
Router# show logging

On Linux:

logger -p local0.err "Test error message"
tail -f /var/log/syslog

13. Summary

Levels 0–3: High severity, must monitor immediately
Levels 4–5: Moderate concern, monitor regularly
Levels 6–7: Informational, use mainly for diagnostics

Always: Enable remote logging, apply filters, and audit logs.

Syslog Logging Levels Quiz

1. What is Syslog primarily used for?

A. Sending emails securely B. File transfer between servers C. Routing traffic in networks D. Centralized logging of event notifications

Correct answer is D. Syslog is a protocol used to collect and centralize logs from multiple devices for monitoring and troubleshooting.

2. Which Syslog severity level represents the highest priority?

A. 0 (Emergency) B. 7 (Debug) C. 3 (Error) D. 5 (Notice)

Correct answer is A. Severity level 0 (Emergency) indicates a system is unusable and requires immediate attention.

3. What does a severity level 3 (Error) indicate?

A. Informational messages B. Error conditions like interface errors or packet drops C. Normal but significant events D. Detailed troubleshooting logs

Correct answer is B. Level 3 indicates error conditions that need to be addressed.

4. Which severity level is typically used for normal operational messages like interface status changes?

A. 0 (Emergency) B. 4 (Warning) C. 6 (Informational) D. 7 (Debug)

Correct answer is C. Level 6 is for informational messages about normal operations.

5. What mnemonic helps remember the order of Syslog severity levels?

A. Big Elephants Can Always Understand Small Elephants B. Every Awesome Cat Eats Whiskas Near Its Dish C. All Good Boys Do Fine Always D. Please Excuse My Dear Aunt Sally

Correct answer is B. This mnemonic corresponds to Emergency, Alert, Critical, Error, Warning, Notice, Informational, Debug.

6. Which severity levels are typically logged by default on Cisco devices?

A. Levels 0 to 6 (Emergency to Informational) B. Levels 3 to 7 (Error to Debug) C. Levels 0 to 3 (Emergency to Error) D. Levels 5 to 7 (Notice to Debug)

Correct answer is A. Cisco devices usually log from Emergency (0) through Informational (6) by default.

7. What is the main difference between local logging and remote Syslog?

A. Local logs are encrypted; remote logs are not B. Remote logs are only stored temporarily C. Local logs cannot be filtered by severity D. Local logs are stored on the device; remote Syslog centralizes logs on a server

Correct answer is D. Local logging stores logs on the device; remote Syslog collects them centrally for scalability and persistence.

8. Which severity level should production environments typically log?

A. Debug (7) B. Warning (4) or higher C. Informational (6) D. Notice (5)

Correct answer is B. In production, logs from Warning (4) and more critical levels should be prioritized to avoid overload.

9. What could be a negative impact of enabling Debug (7) logging on network devices?

A. Loss of logs B. Logs may be encrypted C. Increased CPU and memory usage due to verbose logs D. Reduced network bandwidth

Correct answer is C. Debug logs are very verbose and can consume significant CPU and memory resources.

10. Which Cisco command displays the current logging information?

A. show logging B. show log status C. debug logging D. display logs

Correct answer is A. The "show logging" command shows the current syslog messages on Cisco devices.

← Back to Home