Deciphering syslog facilities

Anyone with experience configuring Cisco routers is no doubt familiar with the following console message:

 %SYS-5-CONFIG_I: Configured from console by console

This message appears (if console logging is enabled) whenever global configuration mode is exited. Similarly, you've probably noticed this pair of messages whenever opening an interface:

%LINK-3-UPDOWN: Interface FastEthernet0/0, changed state to up
%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to up

These are syslog messages, generated by events on the router. If remote logging is configured (with the logging host command), these messages are sent to a centralized syslog server for archival and analysis. Syslog archives are typically integrated with a network management service for correlation with other events.

The human-friendly text of most messages is easy enough to interpret, but the beginning string of each takes a bit of explanation. The string beginning with the percent sign (%) consists of three parts:

• Cisco facility (and optional subfacility on certain platforms)
• Syslog severity level
• Mnemonic

The facility indicates the device, protocol, or software module which generated the message. IOS 12.4 includes several hundred facilities, listed here. These are Cisco-specific values, not to be confused with the facility types used by the Syslog protocol itself (IOS uses syslog facility LOCAL7 by default).

The severity level is a single digit from 0 to 7, indicating the severity of the message. The severity levels are:

• 0 - Emergency
• 1 - Alert
• 2 - Critical
• 3 - Error
• 4 - Warning
• 5 - Notification
• 6 - Informational
• 7 - Debugging

The mnemonic is simply a short code which serves to identify the error message. It allows for quick reference of a message without having to refer to the entire output. All of these mnemonics, along with their applicable facilities, can be referenced in these two volumes.