This chapter covers a NEW objective in the CCNA v2 exam (200-301 v2.0, 2026 blueprint): interpreting syslog messages, severity levels, and facilities. Cisco added this to emphasize AI and Network Operations, reflecting the growing need for automated log analysis in modern networks. As a network engineer, syslog is your network's 'black box flight recorder'—it logs everything from interface flaps to security breaches. Mastering syslog interpretation is essential for troubleshooting, compliance, and integrating with AIOps platforms. This chapter will teach you the syslog architecture, severity levels, facilities, and how to configure and interpret messages on Cisco IOS devices.
Jump to a section
Imagine a busy hospital emergency room (ER) where patients arrive with various medical issues. The ER uses a triage system to prioritize care based on severity, similar to how syslog uses severity levels. Patients are assigned a triage level: Level 1 (Resuscitation) for life-threatening conditions, Level 2 (Emergent) for serious but stable, Level 3 (Urgent) for non-life-threatening, Level 4 (Less Urgent) for minor issues, and Level 5 (Non-Urgent) for routine. Each patient also has a 'facility'—the department that generated the case, like Cardiology, Orthopedics, or Neurology. In syslog, facilities identify the source of the message (e.g., kernel, mail, local use). The ER's charge nurse acts as the syslog server, recording every patient's arrival time, triage level, and department. Doctors and administrators review these logs to identify trends (e.g., more cardiac arrests on Mondays), troubleshoot bottlenecks (e.g., long wait times for Level 3 patients), and ensure compliance with hospital policies. If a patient's condition worsens, the triage level is updated—just as a syslog message can change severity when a problem escalates. The ER analogy mirrors syslog's structure: each message has a facility (department), severity (triage level), timestamp, and content (symptoms). By understanding this system, you can quickly filter logs to focus on critical events, just as a triage nurse focuses on Level 1 patients first.
What is Syslog and Why Does It Exist?
Syslog is a standard protocol for message logging, defined in RFC 5424 (and earlier RFC 3164). It allows network devices (routers, switches, firewalls) to send event messages to a central log server. This centralization is critical for monitoring, troubleshooting, and security auditing. Without syslog, you would have to log into each device individually to check its logs—a nightmare in a network with hundreds of devices. Syslog messages are text-based and include a timestamp, facility code, severity level, hostname, and message text. Cisco IOS devices generate syslog messages for events like interface state changes, configuration changes, authentication failures, and system errors.
Syslog Architecture and Message Format
Syslog operates over UDP (default port 514) or TCP (port 6514 with TLS). The sender (device) sends messages to a collector (syslog server). The server listens on the configured port and stores logs. The message format per RFC 5424 includes:
PRIORITY: Calculated as facility * 8 + severity. This single number encodes both.
VERSION: Usually 1 for RFC 5424.
TIMESTAMP: ISO 8601 format (e.g., 2026-03-15T14:30:00Z).
HOSTNAME: Device hostname or IP.
APP-NAME: Application that generated the message (e.g., "IOSd").
MSGID: Message identifier (e.g., "IF-UP").
STRUCTURED-DATA: Optional key-value pairs.
MSG: Free-form text.
Cisco IOS uses a slightly different format (RFC 3164 style) by default, but newer IOS XE supports RFC 5424.
Severity Levels (0-7)
Syslog defines eight severity levels, with 0 being the most critical:
0 – Emergency: System is unusable (e.g., kernel panic).
1 – Alert: Immediate action needed (e.g., critical battery failure).
2 – Critical: Critical conditions (e.g., hardware failure).
3 – Error: Error conditions (e.g., interface down).
4 – Warning: Warning conditions (e.g., high CPU).
5 – Notice: Normal but significant condition (e.g., interface up).
6 – Informational: Informational messages (e.g., config change).
7 – Debug: Debug-level messages.
Cisco IOS allows you to filter which messages are logged locally or sent to a server using the logging command with a severity threshold. For example, logging trap 4 sends messages with severity 0-4 to the syslog server.
Facilities
Facilities identify the source of the message. RFC 5424 defines 23 standard facilities (0-22), but Cisco IOS uses a subset plus local use facilities (16-23). Common facilities:
0 – kernel
1 – user-level
2 – mail
3 – system daemons
4 – security/authorization (auth)
5 – syslogd
6 – line printer
7 – network news
8 – UUCP
9 – clock daemon
10 – security/authorization (authpriv)
11 – FTP
16-23 – local0 through local7 (used by Cisco for different features)
Cisco IOS uses local0 through local7 for various purposes, such as local7 for debugging. In configuration, you can set the facility using logging facility <facility>.
How Syslog Works Step-by-Step
An event occurs on the device (e.g., interface goes down).
The IOS process generates a syslog message with a facility (e.g., local7) and severity (e.g., 3 for Error).
The device checks its logging configuration: is logging enabled? What is the severity threshold for the console, buffer, terminal lines, and syslog server?
If the message severity is equal to or lower than the threshold (lower number = higher priority), the message is sent to the configured destinations.
For syslog server, the device sends a UDP packet to the server's IP address on port 514 (or TCP if configured).
The server receives the packet, parses it, and stores it in a log file or database.
IOS CLI Verification Commands
To view syslog messages locally on a Cisco device:
show loggingExample output:
Syslog logging: enabled (0 messages dropped, 0 messages rate-limited)
Console logging: disabled
Monitor logging: level debugging, 0 messages logged
Buffer logging: level debugging, 0 messages logged
Logging Exception: size (8192) bytes
Trap logging: level informational, 0 messages logged
Logging to 192.168.1.100 (udp port 514, audit disabled, link up)
Log Buffer (8192 bytes):
*Mar 15 14:30:00.123: %LINK-3-UPDOWN: Interface GigabitEthernet0/1, changed state to down
*Mar 15 14:30:01.456: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/1, changed state to downTo configure syslog:
configure terminal
logging host 192.168.1.100
logging trap informational
logging facility local7
logging on
endInteracting with Related Protocols
Syslog works with SNMP for network management. While SNMP polls device status, syslog provides unsolicited event notifications. NTP is crucial for accurate timestamps in syslog messages. Without NTP, timestamps are unreliable, making correlation difficult. AAA (TACACS+/RADIUS) logs authentication events via syslog. AIOps platforms ingest syslog data to detect anomalies using machine learning.
Trap Patterns for the Exam
Confusing severity levels: Remember lower number = more severe. Emergency (0) is most severe, Debug (7) is least.
Facility codes: You don't need to memorize all, but know local0-local7 (16-23) and that Cisco uses local7 often.
The logging trap command filters messages sent to the syslog server; logging console filters console output. They are independent.
Syslog uses UDP port 514 by default. TCP 6514 with TLS is for secure logging (not commonly tested).
Enable Syslog Logging Globally
First, ensure syslog logging is enabled on the device. Use the `logging on` command in global configuration mode. This enables the syslog process. Without this, no syslog messages are generated. Verify with `show logging`—look for 'Syslog logging: enabled'.
Set the Syslog Server IP and Protocol
Use `logging host <ip-address>` to specify the syslog server. You can optionally set the transport protocol with `logging host <ip-address> transport udp` (default) or `logging host <ip-address> transport tcp` for reliable delivery. The default port is 514 for UDP. Example: `logging host 192.168.1.100`.
Configure Severity Threshold for Trap Logging
Use `logging trap <severity-level>` to filter messages sent to the syslog server. The level can be a keyword (e.g., informational, debugging) or a number (0-7). Only messages with severity <= the configured level are sent. Example: `logging trap 4` sends severity 0-4. Common trap levels: informational (6) for normal operations, debugging (7) for troubleshooting.
Set the Syslog Facility
Use `logging facility <facility-name>` to change the facility code. The default is local7. Common facilities: local0 through local7. Example: `logging facility local7`. This helps in filtering logs on the server. The facility is encoded in the PRIORITY value.
Configure Logging Buffer for Local Storage
Use `logging buffered <size> <severity-level>` to store messages in a local buffer. Example: `logging buffered 8192 debugging` sets buffer size to 8192 bytes and stores messages with severity 0-7. Use `show logging` to view buffer contents. The buffer is circular—oldest messages are overwritten when full.
Verify Syslog Configuration and Test
Use `show logging` to verify all settings. Generate a test event by shutting down an interface (`interface g0/1`, `shutdown`). Check that the message appears in the log buffer and on the syslog server. Use `debug` commands (e.g., `debug ip packet`) with caution—they generate many messages. Use `no debug all` to disable debugging.
In a large enterprise network with thousands of devices, syslog is indispensable for security and operations. For example, a network operations center (NOC) uses a centralized syslog server (like Splunk or ELK) to collect logs from all routers, switches, firewalls, and wireless controllers. When an interface goes down, the syslog message is immediately visible to the NOC team, who can start troubleshooting. Without syslog, they would need to manually poll devices via SNMP or SSH.
Another scenario: A security team monitors for authentication failures. Syslog messages from AAA servers (TACACS+ or RADIUS) are sent with facility auth (4) or authpriv (10). The security team filters for severity 3 (Error) or lower to detect brute-force attacks. They correlate timestamps using NTP to trace an attacker's steps across multiple devices.
A common pitfall is misconfiguring severity thresholds. For instance, setting logging trap debugging (level 7) on a busy core router can overwhelm the syslog server with debug messages, causing log loss. Best practice is to use logging trap notifications (level 5) for production and only enable debugging temporarily. Also, ensure the syslog server is reachable and that UDP port 514 is not blocked by firewalls. If the server goes down, messages are lost (UDP is unreliable). Some organizations use TCP for guaranteed delivery, but this can cause backpressure. Finally, always use NTP to synchronize clocks; otherwise, logs from different devices have inconsistent timestamps, making incident reconstruction difficult.
Exam Objective: 5.6 – Interpret Syslog Messages, Severity Levels, and Facilities
The 200-301 v2.0 exam tests your ability to read a syslog message and identify its severity, facility, and meaning. You may be given a message like %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/1, changed state to down and asked what severity 5 means (Notice). You might also be asked to configure syslog logging with the correct commands.
New in CCNA v2
This objective is entirely new in the 200-301 v2.0 blueprint (effective 2026). In v1.1, syslog was not explicitly listed; it was implied under network management. Cisco added it to support the new 'AI and Network Operations' domain, which accounts for 10% of the exam. Candidates who studied v1.1 only will miss this topic. You must now understand syslog message format, severity levels, and facility codes.
Common Wrong Answers and Why
Confusing severity 0 (Emergency) with 7 (Debug): Candidates often think higher number = more severe because of everyday usage (e.g., 'level 10 emergency'). Remember: 0 is the most critical.
Thinking `logging trap` affects console output: It does not. logging trap controls messages sent to the syslog server; logging console controls console output.
Assuming all syslog messages use RFC 5424 format: Cisco IOS uses RFC 3164 style by default (e.g., %FACILITY-SEVERITY-MNEMONIC). RFC 5424 is used in newer IOS XE but not heavily tested.
Forgetting that syslog uses UDP port 514: Some candidates confuse it with SNMP (UDP 161/162) or NTP (UDP 123).
Specific Values to Memorize
Severity levels: 0=Emergency, 1=Alert, 2=Critical, 3=Error, 4=Warning, 5=Notice, 6=Informational, 7=Debug.
Facilities: local0=16, local1=17, ..., local7=23.
Default logging: console debugging, buffer debugging, trap informational.
Commands: logging host, logging trap, logging facility, logging on, show logging.
Decision Rule for Scenario Questions
If a question asks 'Which syslog message is most critical?', look for the lowest severity number. If asked to configure logging to send only errors and more critical to a server, use logging trap 3 (Error) or logging trap errors. Remember: lower number = higher priority. For facility questions, if a message starts with %LOCAL7-..., facility is local7.
[CCNA v2 NEW] Syslog interpretation is a new exam objective under the AI and Network Operations domain (10% of exam).
Syslog severity levels: 0 (Emergency) is most critical; 7 (Debug) is least critical.
Common facilities: local0-local7 (16-23); Cisco default is local7.
Syslog uses UDP port 514 by default; TCP 6514 with TLS for secure logging.
The `logging trap` command sets the severity threshold for messages sent to the syslog server.
The `show logging` command displays current logging configuration and buffer contents.
Syslog messages on Cisco IOS use format: %FACILITY-SEVERITY-MNEMONIC: description.
These come up on the exam all the time. Here's how to tell them apart.
Syslog
Uses UDP port 514 by default
Text-based messages (RFC 3164 or 5424)
Severity levels 0-7
Facility codes identify source
Unsolicited event notification
SNMP Traps
Uses UDP port 162 by default
Binary encoded (BER) in MIB format
Severity is vendor-defined (often 0-6)
OID identifies source
Can be polled (get/response) or traps (unsolicited)
Mistake
Higher severity numbers are more critical (e.g., 7 is worse than 0).
Correct
Lower numbers are more critical. Severity 0 (Emergency) is the most critical; 7 (Debug) is the least.
This is counterintuitive because in everyday language we often use higher numbers to indicate greater severity.
Mistake
The `logging trap` command controls which messages appear on the console.
Correct
`logging trap` controls messages sent to the syslog server. `logging console` controls console output.
Candidates confuse the two because both filter based on severity, but they apply to different destinations.
Mistake
Syslog messages always follow RFC 5424 format with structured data.
Correct
Cisco IOS uses RFC 3164 format (e.g., %FACILITY-SEVERITY-MNEMONIC). RFC 5424 is used in newer IOS XE but is not the default.
RFC 5424 is newer and more structured, but Cisco devices have historically used RFC 3164. The exam tests the Cisco format.
Mistake
Syslog uses TCP port 514 by default for reliable delivery.
Correct
Syslog uses UDP port 514 by default. TCP (port 6514) is optional and typically used with TLS for secure logging.
Many candidates assume logging should use TCP for reliability, but the standard default is UDP.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
Severity indicates the importance or urgency of the message (0-7, with 0 being most critical). Facility identifies the source or subsystem that generated the message (e.g., kernel, mail, local use). Both are encoded into a single PRIORITY value (facility * 8 + severity). On Cisco devices, the severity is shown in the message format (e.g., %LINK-3-UPDOWN has severity 3). Facility is not shown in the message text but is included in the PRIORITY. You can set the facility with `logging facility`.
Use the `show logging` command to view the local log buffer. This displays recent messages along with logging configuration. To see real-time messages, connect via console or use `terminal monitor` from a Telnet/SSH session (if logging monitor is enabled). For persistent storage, configure a syslog server using `logging host <ip>` and use external tools to view logs.
The default trap severity level is 'informational' (level 6). This means messages with severity 0-6 (Emergency through Informational) are sent to the syslog server. Debug messages (level 7) are not sent by default. You can change this with `logging trap <level>`.
Yes. While the default is UDP (port 514), you can configure TCP by adding `transport tcp` to the `logging host` command. For example: `logging host 10.1.1.100 transport tcp`. TCP provides reliable delivery but can cause backpressure if the server is slow. For secure logging, use TCP with TLS (port 6514) using `logging host 10.1.1.100 transport tcp tls`.
Timestamps allow you to correlate events across multiple devices to reconstruct incidents. Without accurate timestamps (e.g., from NTP), logs are nearly useless for troubleshooting. Cisco devices can add timestamps to syslog messages using `service timestamps log datetime msec` or `service timestamps log uptime`. The exam expects you to know that NTP synchronization is critical for accurate logging.
This message has facility SYS (system), severity 5 (Notice), and indicates that the configuration was changed from the console by user 'admin'. It is a normal, significant event. Severity 5 is Notice, which is less critical than Error but more important than Informational. This message is useful for auditing configuration changes.
To filter messages sent to the syslog server, use `logging trap 3` (or `logging trap errors`). For console output, use `logging console 3`. For buffer, use `logging buffered 3`. Remember: lower severity number = higher priority, so 'errors' (3) includes 0-3. If you want only errors (3) and above (0-2), use level 3.
You've just covered Interpreting Syslog Messages, Severity Levels, and Facilities — now see how well it sticks with free CCNA 200-301 practice questions. Full explanations included, no account needed.
Done with this chapter?