Syslog Severity Reference

Interactive reference for syslog severity levels (0-7), facility codes, and message formats. Click any severity level to see detailed examples and recommended actions for network monitoring and troubleshooting.

Severity Levels (RFC 5424)

Facility Codes

Code	Keyword	Description

Priority Calculator

Priority = Facility × 8 + Severity

Facility

Severity

Understanding Syslog

Syslog is the standard logging protocol (RFC 5424) used by virtually every network device — routers, switches, firewalls, servers, and even IoT devices. It provides a structured way to collect, transmit, and store log messages for monitoring, troubleshooting, and security auditing.

Every syslog message has two key attributes: a facility (the source category) and a severity (the urgency level). Together, these determine the message's priority value, which syslog servers use for filtering and alerting.

Syslog Message Format

A standard syslog message follows this format defined in RFC 5424:

<PRI>VERSION TIMESTAMP HOSTNAME APP-NAME PROCID MSGID STRUCTURED-DATA MSG

# Example:
<132>1 2024-01-15T14:30:00.000Z switch01 - - - Interface Gi0/1 changed state to up

# BSD format (RFC 3164, still common):
<132>Jan 15 14:30:00 switch01 %LINK-5-CHANGED: Interface Gi0/1 changed state to up

Use the priority calculator above to encode and decode PRI values. The PRI value <132> means facility 16 (local0) × 8 + severity 4 (warning) = 132.

Setting Up a Syslog Server

Centralizing logs from all your network devices makes troubleshooting and security auditing much more efficient. Common syslog server solutions include:

Solution	Platform	License	Best For
rsyslog	Linux	Open Source	Most Linux distributions (default)
syslog-ng	Linux	Open Source / Enterprise	Advanced filtering and routing
Graylog	Linux / Docker	Open Source / Enterprise	Log analysis with web UI
Kiwi Syslog	Windows	Free / Commercial	Windows-based networks
Splunk	Any	Commercial	Enterprise SIEM and analytics

Pro Tip: On Cisco devices, use logging host 10.0.0.100 and logging trap warning to send severity 0-4 messages to your syslog server. This captures emergencies through warnings without flooding with info and debug messages. For router configuration, log in at 192.168.1.1 and check if your router supports remote syslog. Pair syslog with SNMP monitoring for complete visibility.

Configuring Syslog on Network Devices

Cisco IOS

! Set syslog server
logging host 10.0.0.100
logging trap warnings
logging facility local0
logging source-interface Loopback0

! Enable timestamps
service timestamps log datetime msec localtime

Linux (rsyslog)

# /etc/rsyslog.conf
# Accept remote syslog on UDP 514
module(load="imudp")
input(type="imudp" port="514")

# Route network device logs
local0.*    /var/log/network-devices.log

Note: Syslog uses UDP port 514 by default, which means messages can be lost during network congestion. For reliable delivery, use TCP syslog (port 6514) or TLS-encrypted syslog (RFC 5425). Verify your syslog port is open with our Port Checker and ensure proper time synchronization with NTP for accurate timestamps.

Log Retention Best Practices

Proper log retention balances storage costs with compliance and troubleshooting needs. If you're following PCI-DSS or other compliance frameworks, specific retention periods may be required:

Log Type	Minimum Retention	Recommended	Compliance
Security events (severity 0-3)	90 days	1 year	PCI-DSS: 1 year, HIPAA: 6 years
System events (severity 4-5)	30 days	90 days	Varies
Informational (severity 6)	7 days	30 days	Optional
Debug (severity 7)	As needed	Delete after troubleshooting	Not required

Key Takeaways

Syslog severity ranges from 0 (Emergency) to 7 (Debug) — lower numbers are more critical.
Priority = Facility × 8 + Severity. This single number encodes both attributes.
Configure network devices to send severity 0-4 (warnings and above) to your syslog server.
Use 64-bit HC counters with SNMP alongside syslog for complete monitoring.
Never leave debug logging enabled in production — it generates massive volume and impacts performance.
Centralize logs for efficient auditing and incident response.

Video: Syslog Explained

Related Tools

Frequently Asked Questions

What syslog severity level should I alert on?

At minimum, alert on severity 0-3 (Emergency through Error). Set up monitoring notifications for severity 4 (Warning) as well — these often indicate problems that will escalate. Severity 5-6 should be logged but not alerted. Severity 7 (Debug) should only be enabled temporarily.

What is the difference between syslog facility and severity?

Facility identifies the source of the message (kernel, auth, local0-7, etc.) while severity indicates the urgency level (0-7). Together they form the PRI value. Network devices commonly use facility local0-local7.

How do I calculate syslog priority?

Multiply the facility code by 8 and add the severity level. For example, facility 16 (local0) with severity 3 (error) = 16 × 8 + 3 = 131. The PRI appears in angle brackets at the start of each message: <131>.

Should I use UDP or TCP for syslog?

UDP (port 514) is the traditional default and works for most cases. Use TCP (port 6514) when reliability is critical — UDP can lose messages during network congestion. For compliance environments, use TLS-encrypted TCP syslog.

How much storage does syslog require?

A typical network device generates 1-10 MB of logs per day at severity 0-5. With debug enabled, this can jump to 100+ MB. Plan storage based on device count × daily volume × retention period. Use log rotation to manage disk usage.

What is the mnemonic for syslog severity levels?

A common mnemonic is: Every Alley Cat Eats Wild Nuts In December — mapping to Emergency, Alert, Critical, Error, Warning, Notice, Informational, Debug (0-7).

About Tommy N.

Tommy is the founder of RouterHax and a network engineer with 10+ years of experience in home and enterprise networking. He specializes in router configuration, WiFi optimization, and network security. When not writing guides, he's testing the latest mesh WiFi systems and helping readers troubleshoot their home networks.