Syslog severity levels when to use Alert vs Critical
Short overview: Is Alert more severe than Critical.
RFC 5424 briefly defines syslog severity levels and gives a short description. Each syslog level is given a code 0 - 7. It was my understanding that 0 (Emergency) was most severe and 7 (Debug) was least.
However I'm questioning 1 (Alert) and 2 (Critical). The definitions in RFC 5424 are:
- Alert: action must be taken immediately
- Critical: critical conditions
However on this site they give a longer description (which is obviously personal opinion) but define them as:
- Alert: Should be corrected immediately - notify staff who can fix the problem - example is loss of backup ISP connection
- Critical: Should be corrected immediately, but indicates failure in a primary system - fix CRITICAL problems before ALERT - example is loss of primary ISP connection
This seems backwards as it implies that Critical is more severe than Alert even though the RFC 5424 seems to place Alert as more severe. I was just wondering if there's an official stand on this or any best practices?
Critical indicates that something bad is about to happen. Alert indicates that something bad already happened.
Take a look at Building Scalable Syslog Management Solutions on Cisco.com for a good read about managing syslog.
I think what it means by those examples is that if an Alert status is triggered, then Critical has already happened. In the example, it states that Critical is when the Primary ISP goes down, then Alert happens when the Backup ISP goes down. (So both the Primary and Backup ISP's are down). The Backup ISP going down in itself is probably not an Alert, because the Primary ISP would still be up. (Maybe a Critical). Similarly, the Primary ISP going down is only a Critical and not an alert, because the system would still be functioning albeit on the Backup ISP. (Still important to fix asap.)