Introduction
While studying for CompTIA Network+, I couldn't totally grasp the severity levels in Syslog. There are 8 levels (0 to 7), and what made it even harder was that a smaller number means higher severity - which felt completely counterintuitive.
Once I connected it to practical use cases, everything clicked. So I decided to write it down.
What is Syslog
Firstly, let's understand what Syslog is. It is a protocol used by network devices to send and receive log message.
If errors happen in routers or switches, it can centrally manage the log information by collecting in Syslog server.
routers ──→
switches ──→ Syslog server (manage network device logs)
servers ──→
Why central management is needed
Without a Syslog server, engineers have to log in to each network device individually to check logs when an issue occurs. This increases the risk of oversight and makes it harder to identify the root cause quickly.
However, Syslog server is useful in case of that because it collects logs from multiple network devices in chronological order. An engineer is able to pursue a chain of system failures like below.
" 8 p.m. Level 2 error happens at a router, two minutes later Level 3 error happens at a switch. "
Protocol structure
Most network devices have a built-in function to send logs.
NW devices (Router・Switch)
└ Attached a function sends Syslog
↓ Sending Port : UDP 514
Syslog server (Receiving・Accumulating・Visualization)
| Role | Name | Example |
|---|---|---|
| Sending side | Syslog clients / Generator | Router ・ Switch |
| Receiving side | Syslog server / Collector | Splunk・Graylog |
Port Number
| Protocol | Port | Features |
|---|---|---|
| UDP 514 | Default | Lightweight ・Fast・No delivery guarantee |
| TCP 514 | Partial use | Delivery guaranteed ・ Reliable |
| TCP 6514 | TLS encryption | Secure sending |
In a CompTIA Network+ exam, memorizing UDP 514 is enough.
The reason why UDP is used is that common systems focus to prioritize the speed and light weight in spite of the lack of some logs.
What is Severity Level
Syslog message has 8 Level severity.
It is important to know Smaller number is more severe.
| Level | Name | Meaning | Example |
|---|---|---|---|
| 0 | Emergency | Whole system is down | OS crash |
| 1 | Alert | Need to instant handle | Just before memory exhaustion |
| 2 | Critical | Severe error | Hardware issue |
| 3 | Error | Error occurance | Interface down |
| 4 | Warning | Warnings | High disk usage |
| 5 | Notice | Normal but need to beware | Configuraion change |
| 6 | Informational | Common information | User login |
| 7 | Debug | Detail for debug | Detailed trace for Packet |
Why Number zero is the most severe
The numbering confused me at first because it feels counterintuitive.
In a computer field, it is common that Number 0 regards as a top priority.
Syslog follow this concept as well.
An imagination of thermometer can provide easy understanding.
0 Emergency ← 🔥 The hottest(Unless instant solution, the system die)
1 Alert
2 Critical
3 Error
4 Warning
5 Notice
6 Informational
7 Debug ← 🧊 The coldest(A detailed log for a developer)
Practical use is below
Level 0 Emergency → Even midnight, engineers need to handle
Level 7 Debug → Engineers glance at it over a cup of coffee
The higher number, the more calm
Memorization
Every Awesome Cisco Engineer Will Need Iced Drink
| Word | Level | Name |
|---|---|---|
| Every | 0 | Emergency |
| Awesome | 1 | Alert |
| Cisco | 2 | Critical |
| Engineer | 3 | Error |
| Will | 4 | Warning |
| Need | 5 | Notice |
| Iced | 6 | Informational |
| Drink | 7 | Debug |
Practical use
Set a policy
First of all, we have to set a policy that which severity level are needed to send to Syslog server.
Production environment → Over Level 3(Error)
Development environment → All of Level 7(Debug)
If all levels are forwarded to the Syslog server, the sheer volume of logs can make it easy to overlook critical ones. Therefore, it is common to set a limited policy in production environment.
Consider accumulation and correspondence
Level 0〜2 → Immediate response
Level 3〜4 → Confirm it until next business day
Level 5〜7 → Confirm it in regular review
Point to note about UDP
UDP is the port that prioritizes speed rather than secure and trust, therefore it is not guaranteed to reach to the destination correctly. With UDP, in case of network issue, the log may not send to Syslog server.
On the other hand, because TCP or TLS is more trustable protocol, they are used in more important system such as production environment.
Conclusion
The counterintuitive numbering - where a smaller number means higher severity - combined with eight levels to memorize, made this topic one of the hardest to grasp.
The mnemonic and thermometer analogy make it easier to remember. Connecting it to practical use cases accelerates understanding even further.
Top comments (2)
Solid breakdown. Syslog is one of those things that seems simple until you’re knee-deep in an incident and need to correlate severity levels with what was actually happening on the wire. Your explanation sets a great foundation for that kind of troubleshooting.
Thank you for your comment!
I'm glad to hear that you found it helpful.
It was hard for me to grasp these concepts since I don't have hands-on experience with real systems. I hope this helps anyone else in the same situation.