Syslog Trap Levels – What are They and Diagram Tutorial!

syslog trap levels

Jeff Parker

Syslog, the event logging standard used in conjunction with Syslog servers, uses a message format that includes timestamp, facility, and severity level.

The Syslog Severity level ranges between 0 to 7. Each number points to the relevance of the action reported.

From a debugging message (7) to a completely unusable system (0).

The Syslog Message Format

The format of a Syslog trap message is:

seq no:timestamp%FACILTY-SEVERITY-MNEMONIC:DescriptionText

As shown in the following message, the Severity “field” can be found within the message.

Syslog Trap Levels

Each section of the message provides the following information:

  • Seq no:
    It is the sequence number of the message log.
  • Timestamp:
    Date and time when the message was created.
  • Facility:
    This component represents the process, modules, or protocols that created the syslog event. It could be the mail system, the kernel, clock, line printer, network, etc.
  • Severity:
    A single digit ranging from 0 to 7 that determines the importance of the reported event.
    [Optional] This is a text that describes the message.
  • Description Text:
    Provides more information on the reported event.

The Syslog Severity Levels in Detail

Level Keyword Brief Description
0 Emergency Panic: The network is useless.
1 Alert Something bad happened, deal with it NOW!
2 Critical Something bad is about to happen, deal with it NOW!
3 Error A failure in the system that needs attention.
4 Warning Something will happen if it is not dealt within a timeframe.
5 Notification Normal but significant conditions.
6 Informational Informative but not important.
7 Debugging Lots of unnecessary messages. Only relevant for developers


1. Emergency:

An urgent crisis that must be dealt with immediately. This condition is usually affecting everything in the network, all remote sites, applications, and servers. This kind of severity is rare but it could be destructive.

2. Alert:

An alert is a condition that must be dealt with immediately. Alert indicates that something already happened. It could be a corrupted database or loss in the primary connection to the ISP.

3. Critical:

This level indicates that something bad is about to happen and must be corrected right away. It usually indicates failure in a primary system (or link) of a backup solution. It could be a failure in a system’s primary application or an expired license.

4. Error:

A failure in a system that is usually not urgent but should be dealt within a reasonable time frame. A few examples of errors are when an application exceeded the storage, memory allocation, file not found, etc.

5. Warning:

A notice that if action is not taken an error will occur. Warnings are usually message logs such as “file system is 89%” or “there is only 2GB remaining of free space.”

6. Notification:

This is usually a normal condition but that must be considered. An event that could lead into a potential issue in the future which might require special care but no immediate action is needed. Examples are unsupported commands, installed license notifications, root admin actions, etc.

7. Informational:

Logs containing information about normal operations. These messages do not require any action whatsoever. These can be used for creating reports, or planning for capacity. Examples are when an application started or ended successfully, throughput metrics, etc.

8. Debugging:

Debugging is not useful for day to day operations. This type of Syslog level is only useful for developers who are identifying and removing existing and potential errors in the software code.