CiscoCCNPAdvanced RoutingIntermediate23 min read

What Is Syslog Logging Levels in Networking?

Also known as: syslog logging levels, syslog severity levels, Cisco syslog levels, ENARSI logging, syslog 0 to 7

Reviewed byJohnson Ajibi· Senior Network & Security Engineer · MSc IT Security
On This Page

Quick Definition

Syslog logging levels are like a priority scale for messages that a network device sends about its health and activity. Each message gets a number from 0 to 7, where 0 means a critical emergency and 7 means a simple debugging note. Network engineers use these levels to filter which messages to store or alert on. This helps them focus on serious problems without being overwhelmed by routine log entries.

Must Know for Exams

Syslog logging levels are a core topic in the Cisco CCNP Enterprise (350-401 ENCOR and 300-410 ENARSI) exams. The ENARSI exam specifically covers advanced routing and infrastructure services, including logging configuration for troubleshooting. Candidates must understand the severity levels, how to configure them, and how to interpret log output. The exam objectives explicitly state that logging is part of infrastructure services and network management.

In the ENCOR exam, syslog appears under the network assurance section. Candidates are expected to know how to configure syslog on Cisco IOS devices, set logging levels, and direct logs to a buffer, console, or remote server. Multiple-choice questions often ask which severity level corresponds to a specific message type. For example, a question might describe a situation where a router reboots unexpectedly and ask which syslog level that event is assigned to. The correct answer is level 5 (Notification) for a system restart, but some questions present level 6 (Informational) or level 3 (Error) as distractors.

In the ENARSI exam, troubleshooting questions often present a scenario with syslog output. Candidates must read the log, identify the severity level, and determine the next step. For instance, a log showing %LINEPROTO-5-UPDOWN indicates a line protocol change of notification level. A question might ask what this message means and what action should be taken. Knowing that level 5 is not critical helps eliminate overreaction.

The exam also tests the configuration command syntax. A typical question: Which command configures the router to send only messages with severity 3 and above to the syslog server? The answer is logging trap errors, as errors correspond to level 3. The command logging trap 3 also works. Candidates must remember that the number 0 is the highest severity and 7 is the lowest. The command logging console debugging enables messages at levels 0 through 7 to the console, which is useful for troubleshooting but may flood the console output.

Finally, the exams often link syslog with SNMP for network management. A question might ask how to correlate syslog events with SNMP traps. Understanding the severity mapping between these protocols is important. The exams expect you to know that syslog is primarily a message-logging protocol, whereas SNMP is for device monitoring and traps are for event notifications. This distinction is tested in scenario-based questions where a candidate must choose the best tool for a given troubleshooting task.

Simple Meaning

Imagine that your network router or switch is like a large office building with many rooms, hallways, and security cameras. Throughout the day, the building manager receives dozens of reports from cleaning staff, security guards, maintenance workers, and the front desk. Some reports are extremely urgent, like a fire alarm or a broken water pipe. Others are less important, like a loose doorknob or a flickering light. The building manager cannot drop everything to read every single report in detail. Instead, the manager needs a way to sort these reports by how urgent they are. This is exactly what syslog logging levels do for network devices.

Syslog logging levels assign a number from 0 to 7 to every message generated by a device like a Cisco router or switch. Level 0 is reserved for emergencies, such as a device overheating or a security breach. Level 1 is for alerts that require immediate action, like a critical interface going down. Level 2 is for critical conditions that could cause service disruption. Level 3 is for error conditions that cause problems but may not be immediately fatal. Level 4 is for warning conditions that might lead to future issues. Level 5 is for normal but significant events, like a device restarting. Level 6 is for informational messages, such as a successful configuration save. Level 7 is for detailed debugging information, which is helpful for troubleshooting but not for daily monitoring.

Network administrators decide which levels they want to collect and store based on their needs. For example, during routine operations, they might only store messages at level 3 and above, ignoring lower-level noise. When troubleshooting a specific issue, they might enable logging for level 7 debugging messages temporarily to capture every detail. This filtering capability is what makes syslog logging levels so valuable. Without it, a busy network device could generate thousands of log entries per minute, and finding the one important error would be like searching for a specific grain of sand on a beach.

Full Technical Definition

Syslog is a standard protocol defined in RFC 5424 and earlier in RFC 3164. It is used for message logging in networked devices, including routers, switches, firewalls, servers, and other infrastructure. The syslog protocol specifies a facility code and a severity level for each message. The severity level is represented as an integer from 0 to 7, where 0 is the highest priority (Emergency) and 7 is the lowest priority (Debug).

On Cisco IOS and IOS-XE devices, syslog messages are generated by the operating system kernel, processes, and applications such as routing protocols (OSPF, EIGRP, BGP), interface managers, and security features. Each message includes a timestamp, the device hostname, the process name, and the severity level. The administrator configures logging using commands like logging buffered informational, logging console warnings, or logging monitor debugging. These commands set a severity threshold; messages at or above that threshold (numerically lower or equal) are displayed or recorded.

Syslog logging levels are implemented using the facilities defined in the syslog standard. Facilities like daemon, kern, user, and local0 through local7 allow administrators to separate messages by source. When combined with severity levels, this creates a two-dimensional filtering system. For example, a network administrator can configure a remote syslog server to only accept messages from the kernel facility at level 0 through 3, while receiving all local7 messages.

In practical IT environments, syslog messages are sent over UDP port 514 (default) or TCP port 1468 for reliable delivery. Messages can be stored locally in a buffer, sent to a console, transmitted over a network to a central syslog server, or forwarded to a Security Information and Event Management (SIEM) system. The syslog logging level determines which messages are forwarded. Cisco devices also support logging to internal flash memory in formats like .txt or .log for persistent local storage.

When a device generates a syslog message, it includes a severity value that is compared to the configured threshold. If the value is numerically less than or equal to the threshold, the message is delivered. For instance, if logging is set to level 4 (Warning), messages at levels 0, 1, 2, 3, and 4 are recorded, while levels 5, 6, and 7 are silently ignored. This allows engineers to carefully balance the need for detailed information against storage and bandwidth constraints.

Real-Life Example

Think of a large hospital with many departments, floors, and patient rooms. The hospital has a main control center that monitors alarms from medical equipment, security systems, and building management. Each piece of equipment can generate messages ranging from a critical code blue emergency (level 0) to a routine battery check pass (level 7). The nurse at the control center cannot respond to every single beep and light. Instead, the hospital uses a triage system.

A message from a heart monitor showing flatline would be level 0, requiring immediate action. A fire alarm in the basement would be level 1, an alert that the oxygen tank pressure is low would be level 2, and a faulty light in a patient room would be level 3. Messages like a door left open in storage (level 4) might be recorded but not acted upon right away. A daily backup complete notification is level 5, which is informational. A reminder that the cleaning crew visited is level 6. The detailed logs from the HVAC system that show temperature fluctuations of 0.1 degrees are level 7, useful only for technicians doing deep diagnostics.

The hospital administrator configures the control center to alert the emergency team for any level 0 or 1 messages by sounding an alarm. Messages at level 2 are sent to the floor supervisor's pager. Levels 3 through 5 are recorded in the daily report. Levels 6 and 7 are only stored for 24 hours unless a specific investigation is underway. This triage system ensures that critical events get immediate attention while routine events do not flood the emergency responders. Similarly, in networking, syslog logging levels allow engineers to decide which alarms require a page, an email, or just a note in the log file.

Why This Term Matters

Syslog logging levels matter because they enable network and system administrators to manage the overwhelming volume of messages generated by modern IT infrastructure. A single enterprise router can produce tens of thousands of log messages per day if all levels are enabled. Without a severity classification, administrators would waste time filtering through noise to find critical issues. By using logging levels, they can prioritize response to emergencies (level 0) and alerts (level 1) while storing lower-level messages for post-incident analysis.

In cybersecurity, syslog logging levels are essential for incident detection and forensics. Security teams rely on Syslog data fed into SIEM platforms to identify patterns of attacks. If all messages are logged at the same level, important security events like failed login attempts (level 4) or interface resets (level 3) can be lost in a sea of debug output (level 7). Proper level configuration ensures that security events are elevated for immediate review while normal operations are archived for compliance.

In system administration, logging levels help with capacity planning and troubleshooting. For example, if a server starts generating excessive level 7 debug messages unexpectedly, it could indicate a software bug or resource contention. By monitoring the volume per level, administrators can spot anomalies early. Additionally, regulatory compliance frameworks such as PCI DSS, HIPAA, and SOX often require that certain types of system events be logged and retained. Using syslog levels ensures that the required events are captured without unnecessary data retention.

From a networking perspective, logging levels influence device performance. Storing logs locally in a buffer uses memory. Forwarding logs over the network uses bandwidth. By selecting an appropriate threshold, engineers prevent resource exhaustion. For example, setting logging to level 3 (Errors) on a core router during peak traffic ensures that only significant issues are recorded, preserving CPU cycles for packet forwarding. This practical balance between detail and performance is why syslog logging levels are a fundamental concept in network management.

How It Appears in Exam Questions

In Cisco certification exams, syslog logging levels appear in multiple question formats. The most common is the direct knowledge question, which asks you to match a severity level number with its keyword. For example: Which syslog level corresponds to the keyword Warning? Answer: Level 4. Or vice versa: A router generates a message with severity level 1. What keyword represents this level? Answer: Alert. These questions test your ability to recall the standard 0-to-7 mapping.

Scenario-based questions present a network event and ask you to interpret the syslog message. For instance, the question may show %SYS-5-CONFIG_I: Configured from console by vty0. The candidate must identify that this is a level 5 (Notification) message indicating a configuration change. Then the question might ask whether this message indicates a problem. The correct answer is no, it is not an error; it is an informational notification of a normal event. This tests your ability to differentiate between levels when reading actual log output.

Configuration questions require you to select the appropriate command to set a logging threshold. For example: An administrator wants to see only critical and higher messages on the console. Which command should be used? Options include logging console critical, logging console errors, logging console alerts. The correct answer is logging console critical because Critical is level 2, and level 2 and higher means levels 0, 1, and 2. But careful: the command logging console 2 is also valid. This nuance is tested to see if you know both the keyword and the numeric value.

Troubleshooting questions often combine syslog with other diagnostic tools. A typical multi-part question might describe a network outage where OSPF neighbor adjacencies keep dropping. The candidate receives a syslog output showing %OSPF-5-ADJCHG messages at level 5. The question then asks: Based on the severity, is this the root cause or a symptom? The answer: Level 5 notification indicates a change, but not an error. The candidate must use other tools like debug or show commands to find the underlying reason for the adjacency change, such as mismatched timers (which would generate a lower-level error).

Finally, some questions ask about syslog server configuration. For instance: A customer wants to send all logs with severity 3 and higher to a central server. They issue logging trap errors. The question asks: Which logs are sent? The answer includes levels 0 through 3. Another variation asks about the difference between logging console and logging monitor, testing familiarity with logging destinations. These questions ensure that candidates know not just the levels but also how to apply them in real device configuration.

Study enarsi

Test your understanding with exam-style practice questions.

Practise

Example Scenario

You are a network administrator for a mid-sized company with about 200 employees. The core network runs on Cisco routers and switches. One morning, users start reporting that the internet is slow and some websites are not loading. You need to troubleshoot the issue while keeping the devices running normally.

You first check the syslog messages on the core router. You view the buffered logs using show logging. You see several messages at level 3 (Errors) about interface GigabitEthernet0/1 going up and down repeatedly. The messages look like %LINEPROTO-5-UPDOWN and %LINK-3-UPDOWN. The level 3 messages indicate that the interface is experiencing errors. This tells you that the physical link or the connected device might be faulty. You do not see any level 0 or 1 messages, which means there is no emergency fire drill. The level 5 messages are normal operational changes, like OSPF neighbor resets, which are a consequence of the link flapping.

You then increase the logging level to 7 temporarily to capture debug information for that specific interface. Using logging console debugging temporarily does not impact the router's performance significantly because the interface flapping is intermittent. You see additional level 7 messages showing CRC errors and late collisions. This confirms your suspicion of a bad cable or faulty transceiver. You replace the cable, the errors stop, and the level 3 messages disappear. After the resolution, you reset the logging level back to a more conservative threshold like 3 (Errors) to avoid filling the log buffer with debug noise. This scenario shows how syslog logging levels guide you to focus on error-level logs (3) first, then escalate to debug-level (7) only when needed.

Common Mistakes

Confusing the numerical severity order, thinking level 7 is the most severe.

Level 0 (Emergency) is the most severe. Level 7 (Debug) is the least severe. Thinking the opposite will cause you to ignore critical messages or store too much noise.

Remember: Lower number = Higher severity (more urgent). 0 is critical, 7 is trivial.

Believing that setting logging to a lower number blocks messages at higher numbers.

Logging thresholds work the opposite way: setting logging to level 3 means levels 0, 1, 2, and 3 are logged. Level 4, 5, 6, and 7 are blocked. Higher numbers are not more severe; they are less severe.

Think of the threshold as a cutoff: all messages with a number equal to or below the threshold are captured, and those with a higher number are ignored.

Using the wrong keyword in configuration, such as typing logging console errors.

The correct command uses the keyword errors for level 3, but the command logging console errors works because errors is a valid keyword. However, many candidates confuse errors with warning or informational and use the wrong word.

Memorize the exact keywords: emergencies (0), alerts (1), critical (2), errors (3), warnings (4), notifications (5), informational (6), debugging (7). Practice writing configuration commands.

Assuming that all syslog messages are error logs and that level 5 or 6 always indicates a problem.

Level 5 (Notification) and Level 6 (Informational) are normal operational messages. A level 5 message about a router reload is expected after a scheduled maintenance, not an error. Treating it as a problem wastes time.

Read the message content, not just the level. A level 5 message is a routine announcement. Only investigate further if the message indicates an unexpected event or repeats frequently.

Exam Trap — Don't Get Fooled

A question asks: Which syslog severity level must be configured to capture messages of Warning and higher? Options: A) Warning, B) Errors, C) 4, D) 5. Set the level to Warning (4) and it will capture levels 0, 1, 2, 3, and 4.

The trap is that option D) 5 would only capture Emergency through Notification (levels 0 to 5), missing Warning itself. Always remember: the configured level and all levels numerically lower are included. Warning is level 4, so to capture Warning and above (higher severity), you must set the threshold to Warning (4).

Commonly Confused With

Syslog Logging LevelsvsSNMP Traps

Syslog logging levels are about sending text-based log messages from a device to a server. SNMP traps are structured alerts sent from a device to an SNMP manager using a standardized format. Syslog is used for general event logging, while SNMP traps are typically used for specific monitored thresholds or state changes.

A router sends a syslog message saying Interface down at level 3. It also sends an SNMP trap to the network management station with a specific OID for linkDown. Both inform but use different protocols.

Syslog Logging LevelsvsDebug Commands

Syslog logging levels include a debug level (7), but debug commands are separate features that enable real-time tracing of device processes. Debug output can be directed to syslog, but debug commands themselves are not the same as logging levels. Debug commands create messages at level 7, but you can set logging to level 7 without running debug commands.

Running debug ip ospf events produces syslog messages at level 7. But you can also have level 7 messages from normal operations if logging is set to debugging. The debug command is the source; the level is the classification.

Syslog Logging LevelsvsSystem Log Buffer vs. Remote Syslog

Syslog logging levels define the severity of messages, not where they are stored. The log buffer is a local memory area on the device, while remote syslog sends messages to an external server. Both use the same severity levels, but the configuration commands differ: logging buffered sets the buffer threshold, and logging host sets the remote server address.

You can set logging buffered warnings to store only warnings and higher in the router memory. At the same time, you can set logging host 192.168.1.100 and logging trap errors to send only errors and higher to the remote server.

Step-by-Step Breakdown

1

Message Generation

A Cisco device generates a syslog message when a process (like OSPF, interface manager, or kernel) detects an event. The process assigns a facility code and a severity level based on the event type. For example, an OSPF neighbor going down triggers a level 5 (Notification) message with the facility OSPF.

2

Severity Assignment

The device assigns a severity number from 0 to 7. This is hardcoded by the software for each event type. Emergencies (0) are system-wide failures. Alerts (1) need immediate action. Critical (2) indicates a service failure. Errors (3) are non-fatal problems. Warnings (4) are potential issues. Notifications (5) are normal changes. Informational (6) are routine updates. Debugging (7) is detailed diagnostic data.

3

Threshold Comparison

The device compares the message severity to the configured logging thresholds for each output destination (console, monitor, buffer, trap). If the message severity is numerically less than or equal to the threshold, the message is sent. For example, if logging buffered is set to warnings (4), a level 3 (Error) message is sent, but a level 6 (Informational) message is not.

4

Formatting and Timestamping

The device adds a timestamp, hostname, process name, and the message content to the raw event. For Cisco IOS, the format is typically: 00:00:06: %OSPF-5-ADJCHG: Process 1, Nbr 10.0.0.2 on Ethernet0 from FULL to DOWN. The 5 indicates the severity level (Notification).

5

Delivery to Destination

The formatted message is sent to the configured output. If the destination is the console, it appears on the terminal. If it is the buffer, it is stored in RAM. If it is a remote syslog server, the device sends a UDP packet to the server's port 514 (or configured port). The message may be rate-limited to prevent flooding.

6

Storage or Forwarding

On the remote syslog server, the message is stored in a file, database, or SIEM. The server may further filter or alert based on the severity. On the device itself, the buffer has a fixed size (e.g., 4096 bytes). When the buffer fills, the oldest messages are overwritten. Administrators can view the buffer with the show logging command.

Practical Mini-Lesson

Syslog logging levels are not just theoretical exam points; they are a daily tool for any network or system administrator. To configure syslog logging levels on a Cisco IOS device, you first need to understand the device's architecture. There are four main logging destinations: console, monitor (VTY lines), buffer (local RAM), and trap (remote syslog server). Each can have its own severity threshold.

For example, in a production environment, you might set logging console critical (level 2) so that only emergencies, alerts, and critical messages appear on the console port. This prevents routine messages from interfering with an engineer typing commands. For the monitor (telnet/SSH sessions), you might set logging monitor warnings (level 4) to provide a bit more detail for remote administrators. For the buffer, you might set logging buffered informational (level 6) to capture normal events for recent history. For the remote syslog server, you might set logging trap errors (level 3) to store only errors and above in the central log repository.

When troubleshooting a problem, you can temporarily change these levels. For instance, if you suspect a routing loop, you can issue logging console debugging (level 7) after enabling debug ip routing. But you must remember to turn off debug with undebug all and reset the console logging level, otherwise the console will be flooded and the device may become unresponsive.

One common real-world mistake is enabling debug logging without setting a logging rate limiter. Cisco devices have a built-in rate limiter for syslog messages (logging rate-limit). If you enable debug and the device starts generating thousands of messages per second, the console could become unusable. Always plan to set a rate limit or use an access list to filter debug output.

Another key point is that syslog messages are sent as UDP, which is connectionless. If the remote syslog server is down, messages are dropped. For critical environments, consider using TCP-based syslog (RFC 3195) or syslog over TLS. This ensures delivery of high-severity messages (levels 0-2). You can even configure multiple syslog servers for redundancy.

Finally, syslog logging levels integrate with network automation. Tools like Ansible, Python scripts, or Cisco DNA Center can parse syslog messages and trigger automated responses, such as shutting down a flapping interface when a level 3 error repeats. Understanding severity levels allows you to write thresholds for automation: only trigger on levels 0-2, or all levels for audit trails.

In summary, a professional network engineer must know how to configure logging levels to balance between visibility and performance. Over-logging can degrade device performance and fill storage. Under-logging can miss important events. The art is choosing the right threshold for each destination based on operational needs and compliance requirements.

Memory Tip

Remember the syslog severity order by the mnemonic: Every Admin Can Execute Normal Work Including Debugging. 0 Emergency, 1 Alert, 2 Critical, 3 Error, 4 Normal/Warning? Actually, it is Warning, 5 Notification, 6 Informational, 7 Debugging. Or use a simpler one: Emus And Cats Eat Nuts With Interesting Dirt. (0 Emergency, 1 Alert, 2 Critical, 3 Error, 4 Warning, 5 Notification, 6 Informational, 7 Debug).

Covered in These Exams

Related Glossary Terms

Frequently Asked Questions

What is the difference between syslog severity 0 and 7?

Severity 0 is Emergency, the highest priority, used for system-wide failures that require immediate action. Severity 7 is Debug, the lowest priority, used for detailed operational information only meaningful during troubleshooting.

What command sets the syslog severity for sending logs to a remote server?

The command is logging trap followed by the keyword or number, for example logging trap errors or logging trap 3. This sets the threshold for syslog messages sent to the remote server.

Can I have different syslog severity settings for console, buffer, and remote server?

Yes, each destination can have its own threshold. For example, you can set logging console critical, logging buffer information, and logging trap errors. This allows fine-grained control over what is displayed where.

What happens if I set logging console debugging?

All syslog messages from level 0 to level 7 will appear on the console. This can flood the console output, especially during debug sessions, making it difficult to enter commands. Use it only temporarily in a lab or with a rate limiter.

Does a syslog severity of 5 mean the device is having a problem?

Not necessarily. Severity 5 is Notification, which indicates a normal but significant event, like a router reboot or a configuration change. It is not an error condition. You should still review it for unexpected changes, but it is not a fault on its own.

How do I view the current syslog buffer content on a Cisco router?

Use the show logging command. This displays the syslog messages stored in the buffer along with the logging configuration, including the buffer size, severity threshold, and the number of messages dropped.

Summary

Syslog logging levels are a fundamental concept in network management and IT certification exams, particularly for Cisco CCNP ENCOR and ENARSI. They provide a standardized severity scale from 0 (Emergency) to 7 (Debug), enabling administrators to filter and prioritize the enormous volume of messages generated by network devices. Understanding these levels is crucial for effective troubleshooting, security monitoring, and compliance.

In exams, you must recall the numerical-to-keyword mapping, configure logging thresholds correctly, and interpret syslog output in scenario-based questions. Common mistakes include reversing the severity order, misconfiguring thresholds, and misunderstanding what each level implies. Always remember that a lower number means higher severity, and that each logging destination can have its own independent threshold.

By mastering syslog logging levels, you gain the ability to tune network devices for efficient operations, quickly identify critical issues, and avoid being overwhelmed by log noise. This knowledge is not just for passing exams; it is a daily skill for any professional working with Cisco infrastructure or any system that uses the syslog protocol.