Syslog Severity Level Too High — Critical Events Missing
Presenting Symptom
Critical syslog messages (e.g., interface down, OSPF neighbor loss) are not appearing in the log, while lower-severity messages (e.g., debugging) are displayed.
Network Context
A small branch office with a Cisco 4321 ISR running IOS XE 16.9. The router connects to the corporate WAN via a serial link and has a single LAN segment. The network engineer is troubleshooting intermittent connectivity issues but notices that expected critical syslog messages are missing from the log buffer.
Diagnostic Steps
Check current syslog severity level configuration
show loggingSyslog logging: enabled (0 messages dropped, 0 messages rate-limited, 0 flushes, 0 overruns)
Console logging: level debugging, 0 messages logged
Monitor logging: level debugging, 0 messages logged
Buffer logging: level debugging, 0 messages logged
Trap logging: level informational, 0 message lines logged
Logging to 192.168.1.100 (udp port 514, audit disabled, link up):
0 message lines logged
Logging Source Interface: Loopback0Look at the 'Buffer logging:' line. If it shows 'level debugging', that means all messages from severity 0-7 are logged. If it shows a higher number (e.g., 'level informational'), only messages with severity 0-6 are logged. The problem is that the buffer logging level is set too high (e.g., debugging) but critical messages are missing, which suggests the issue might be elsewhere.
Verify the logging severity levels for each destination
show running-config | include logginglogging buffered 4096 debugging logging console debugging logging monitor debugging logging trap informational logging host 192.168.1.100
If 'logging buffered' is set to 'debugging', all messages are logged. However, if critical messages are missing, the buffer might be too small and older messages are overwritten. Alternatively, if the level is set to 'informational' or higher, critical messages (severity 0-2) are still included, so the problem is not the severity level itself.
Check the size of the logging buffer
show logging | include BufferBuffer logging: level debugging, 0 messages logged Log Buffer (4096 bytes):
If the buffer size is small (e.g., 4096 bytes), it can fill up quickly with debugging messages, causing critical messages to be overwritten. The output shows the buffer size in bytes. A small buffer combined with a low severity level (debugging) can cause critical messages to be lost.
Examine the actual log buffer contents
show logSyslog logging: enabled (0 messages dropped, 0 messages rate-limited, 0 flushes, 0 overruns)
Console logging: level debugging, 0 messages logged
Monitor logging: level debugging, 0 messages logged
Buffer logging: level debugging, 0 messages logged
Trap logging: level informational, 0 message lines logged
Logging to 192.168.1.100 (udp port 514, audit disabled, link up):
0 message lines logged
Logging Source Interface: Loopback0
Log Buffer (4096 bytes):
*Mar 1 00:00:01.123: %SYS-5-CONFIG_I: Configured from console by console
*Mar 1 00:00:02.456: %LINK-3-UPDOWN: Interface GigabitEthernet0/0, changed state to up
*Mar 1 00:00:03.789: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/0, changed state to up
... (only a few lines, no critical messages like %OSPF-5-ADJCHG or %LINEPROTO-3-UPDOWN)If the buffer contains only low-severity messages and is nearly full, it indicates that the buffer is too small and is being flooded with debugging messages, causing critical messages to be overwritten. The absence of expected critical messages confirms the issue.
Root Cause
The logging buffer size is too small (4096 bytes) and the buffer logging level is set to 'debugging', causing the buffer to fill up rapidly with verbose debugging messages. Critical messages (severity 0-2) are generated but are overwritten before they can be viewed.
Resolution
Verification
Run `show logging` and verify: - Buffer logging: level warnings, X messages logged - Log Buffer (16384 bytes): should show critical messages like %OSPF-5-ADJCHG or %LINK-3-UPDOWN. Also run `show log` to see that critical messages are now present and not overwritten.
Prevention
1. Set logging buffer size to at least 16384 bytes (or larger) in production networks. 2. Use a syslog server to store logs externally, preventing loss due to buffer overflow. 3. Avoid setting buffer logging to 'debugging' unless actively troubleshooting; use 'warnings' or 'notifications' for normal operations.
CCNA Exam Relevance
On the CCNA 200-301 exam, this scenario tests understanding of syslog severity levels (0-7) and the impact of buffer size on log retention. Expect multiple-choice questions asking which severity level includes certain messages, or troubleshooting questions where you must identify why critical logs are missing. Key fact: Severity levels are 0 (emergencies) to 7 (debugging); 'logging buffered' command syntax includes size and level.
Exam Tips
Memorize the syslog severity levels: 0-emergencies, 1-alerts, 2-critical, 3-errors, 4-warnings, 5-notifications, 6-informational, 7-debugging.
Remember that 'logging buffered <size> <level>' sets both buffer size and severity; if level is omitted, it defaults to debugging.
Be aware that a small buffer with debugging level can cause critical messages to be overwritten; the exam may present a scenario where 'show logging' shows buffer full but no critical messages.
Commands Used in This Scenario
Test Your CCNA Knowledge
Practice with scenario-based questions to prepare for the CCNA 200-301 exam.
Practice CCNA Questions