Log Management Without the Complexity: A Practical Guide for Growing Teams

Unstructured logs are text you search with grep. Structured logs are JSON you query like a database.

import logging, json
logging.info(json.dumps({
    'event': 'payment_processed',
    'user_id': user.id,
    'amount': amount,
    'duration_ms': elapsed,
    'trace_id': current_trace_id()
}))

Every log line should include: timestamp, log level, service name, trace ID, and the specific event. Nothing else is required.

- ERROR — something failed, action required - WARN — unexpected but recoverable, investigate soon - INFO — normal operational events - DEBUG — verbose, only in development

Production should log at INFO level. Alert on ERROR rate; review WARN trends weekly. Never enable DEBUG in production — it will fill your storage and contain sensitive data.

- Application errors: 30 days searchable, 1 year cold archive - Access logs: 7 days searchable, 90 days cold archive - Audit logs (auth, billing): 1 year searchable, 7 years cold archive (compliance) - Debug logs: do not store

Cold archive (S3 Glacier equivalent) costs <$0.004/GB/month — keep compliance logs forever there.

When an AlertsDock monitor fires, your first action is to search logs for the period of the incident.

Include your AlertsDock monitor name or ID in logs generated during requests that are monitored, so you can immediately filter to the relevant log stream when an incident fires.

Complement uptime monitors with log-based alerts: - Alert when ERROR rate in logs exceeds 1%/minute - Alert when a specific error message appears (e.g. 'database connection refused') - Alert when log volume drops to zero (your app stopped logging = crashed)