📘 CCNA 200-301 v1.1
4.5 Describe the use of syslog features, including facilities and severity levels
Overview
Syslog is a protocol used by network devices (like routers, switches, firewalls) and servers to send messages about events or problems. It helps network administrators monitor, troubleshoot, and manage network devices.
Think of it as a “notification system” inside your network that tells you what’s happening in your devices.
Key Features of Syslog
- Centralized Logging
- Devices can send their logs to a central syslog server.
- This makes it easier to see all network activity in one place, instead of checking each device individually.
- Message Structure
Every syslog message has:- Timestamp: When the event happened.
- Device name: Which device sent the message.
- Facility: What type of process or system component is sending the message.
- Severity level: How serious the event is.
- Message text: Description of the event.
- Transport Protocol
- Syslog usually uses UDP port 514 to send messages.
- It’s lightweight, so messages are sent quickly.
Facilities in Syslog
A facility identifies the type of program or service generating the message.
It’s like saying, “This message is coming from the routing process, or the security system, or the system itself.”
Here are some important syslog facilities:
| Facility Name | Description |
|---|---|
| auth | Security and authentication messages (like login attempts) |
| cron | Scheduled task messages (automated jobs on a device) |
| daemon | System processes or background programs |
| kern | Messages from the kernel (core of the operating system) |
| local0–local7 | Reserved for custom messages from applications or devices |
| syslog | Internal syslog messages |
Use in IT networks:
- If a network admin wants to monitor login attempts to a router, they can configure the syslog server to capture only messages from the auth facility.
- If they want all system process issues, they can focus on daemon.
Severity Levels in Syslog
Syslog messages also include a severity level, which tells how important or urgent the message is. There are 8 levels, from most critical to least critical:
| Severity Level | Numeric Value | Meaning | IT Example |
|---|---|---|---|
| 0 | Emergency | System is unusable | Router core process crashed |
| 1 | Alert | Immediate action required | Router cannot route traffic |
| 2 | Critical | Critical condition | Interface down on a core switch |
| 3 | Error | Error condition | Failed login attempt |
| 4 | Warning | Warning condition | High CPU usage on a router |
| 5 | Notice | Normal but significant | Interface status changed |
| 6 | Informational | Informational messages | Successful login |
| 7 | Debug | Debugging messages | Routing table update details |
Use in IT networks:
- Severity levels help filter messages on a syslog server.
- For example, an admin might configure the syslog server to only save messages of severity 0–3 to focus on serious issues, and ignore debug messages (level 7) unless troubleshooting.
Summary: How It Works in IT Environments
- A router detects an event (like an interface going down).
- It creates a syslog message with:
- Facility: e.g.,
daemon - Severity: e.g.,
2 (critical) - Timestamp and device name
- Message text: “Interface Gig0/1 down”
- Facility: e.g.,
- The message is sent to the syslog server (UDP 514).
- The syslog server collects messages from multiple devices and allows filtering by facility and severity for easy monitoring.
- Network admins use this to detect problems, generate alerts, and perform troubleshooting efficiently.
✅ Key points to remember for the CCNA exam:
- Syslog is for logging network events.
- Facility identifies the source/system component of the message.
- Severity level shows how critical the message is.
- Syslog uses UDP port 514 and can be centralized on a server.
- Helps in monitoring, alerting, and troubleshooting network devices.
