Short overview: Is Alert more severe than Critical.
RFC 5424 briefly defines syslog severity levels and gives a short description. Each syslog level is given a code 0 – 7. It was my understanding that 0 (Emergency) was most severe and 7 (Debug) was least.
However I'm questioning 1 (Alert) and 2 (Critical). The definitions in RFC 5424 are:
- Alert: action must be taken immediately
- Critical: critical conditions
However on this site they give a longer description (which is obviously personal opinion) but define them as:
- Alert: Should be corrected immediately – notify staff who can fix the problem – example is loss of backup ISP connection
- Critical: Should be corrected immediately, but indicates failure in a primary system – fix CRITICAL problems before ALERT – example is loss of primary ISP connection
This seems backwards as it implies that Critical is more severe than Alert even though the RFC 5424 seems to place Alert as more severe. I was just wondering if there's an official stand on this or any best practices?
Best Answer
Critical indicates that something bad is about to happen. Alert indicates that something bad already happened.
Take a look at Building Scalable Syslog Management Solutions on Cisco.com for a good read about managing syslog.