Generating and collecting logs is one thing. Generating and collecting actionable logs can be quite another.
That's a problem because logs that are not actionable – meaning they can be easily used to derive valuable insights or resolve issues – are not very valuable. If you don't generate actionable logs, you might as well not log at all.
Fortunately, ensuring that you generate useful logs is not tricky. Keep reading for seven tips on making your logs actionable and valuable.
Depending on what you are using a log for, the amount of detail that you need to record in the log may vary. Logs from dev/testing systems may not need to be as extensive as those for critical production environments or the reverse can be true, edge cases can get hairy after all.
Setting the correct log level for each type of log you analyze helps ensure that you don't generate too much noise through easy filtering. At the same time, it ensures that you are able to search, filter, and exclude information via broad strokes. Combined with additional values in the log, this becomes really powerful.
Many systems and services allow you to configure the log level for the logs they generate. If they don't – or if you don't want to have to configure the log level for each of your resources independently – you can tell your log management software which log levels to use when collecting data from your various logs.
The more the structures and formats of your logs vary, the harder it is to derive relevant across-the-board insights from them. That's why standardizing logs helps make them more actionable.
It's not always possible to use the same log structure for every log, of course. Some systems will only support specific forms. Here again, however, log management software can smooth over the rough edges of your individual logs by aggregating log data in a way that makes it possible to analyze all of it efficiently, regardless of the underlying structure of each log.
Aggregating logs from across your environment into a central location is a crucial step toward maximizing the actionability of your logs. You don't want to have to log into multiple systems and deploy different queries on each one to analyze logs. Instead, do it all centrally with a log management tool that consolidates log analysis.
Logging agents – meaning the software that collects logs from the various resources in your IT environment – can become a barrier to actionable logging if they do not operate efficiently. Agents that consume too many resources or that are complicated to deploy automatically may end up distracting you from making the best use of log data.
To avoid this problem, look for log management tools that offer automated agent deployment and whose agents require minimal resources to do their job. Alternatively, take advantage of logging libraries that allow you to build logging facilities directly into your applications and stream log data to a compatible log management tool without having to rely on agents.
For many teams, the primary purpose of collecting logs is to detect and respond to problems in near real-time. By analyzing logs continuously, teams can find issues before their users do.
However, this doesn’t mean that logs cease to be valuable days, weeks, or even months after being created. Likely, you'll sometimes need log data to investigate problems that you didn't detect soon after they appeared. You may also want to use historical log data to model performance trends over time. And in some cases, compliance mandates may require that you store log data for a specific time.
For these reasons, it's essential to set the proper log retention periods and find affordable storage solutions that will allow you to archive logs as long as you need. It’s not always realistic to keep logs forever, but you should strive to retain them for as long as you can reasonably afford them.
Although log aggregators can collect logs in multiple forms (including raw text), you can get more out of your logs by formatting them consistently wherever possible. The format you use -- JSON, Apache Common Log Format, etc. -- doesn't matter much as long as you are consistent (and as long as your log aggregator supports the format you use, of course).
Log formatting consistency is important because it makes it much easier for analytics tools to pull out important fields and make them searchable. In turn, logs are more actionable.
You can, of course, define custom parsing rules in order to work with log data that is not standardized. But whenever possible, it's a best practice to format logs using a standard structure, and keep that structure consistent across your environment.
Although it has become almost cliché to talk about the "three pillars of observability," it's true that logs are only one source of visibility. Metrics, traces, and other data sources help you understand what is happening inside complex systems and equally important – especially in modern, cloud-native environments.
To that end, you should make your logs as actionable as possible to ensure that you can easily correlate log data with other information about your systems. Don't think in terms of logs alone.
Ensuring that logs are readily usable requires attention to various factors, ranging from log verbosity levels to content to the correlation of log data with other sources of visibility. Although it's tempting to collect as many logs as you can and call it a day, that's hardly the best approach to creating actionable logs.
Actionable, Data, Logs