How We Got Here: Logging Evolution¶
Arc: Observability Eras covered: 5 Timeline: ~2005-2025 Read time: ~11 min
The Original Problem¶
In 2005, debugging a production issue meant SSH'ing into a server and running tail -f /var/log/messages. If you had 20 servers, you opened 20 terminal windows. If the problem happened yesterday, you grepped through rotated logs (zgrep "error" /var/log/messages-20050315.gz). If the log had been rotated out of existence — tough luck. There was no search, no correlation, no aggregation. Logs were files on disk, and they stayed there until logrotate deleted them.
When a request traversed five services, you manually correlated log lines by timestamp and hoped the clocks were synchronized (they usually weren't).
Era 1: Syslog and Centralized Log Servers (~2005-2010)¶
The Solution¶
Syslog (RFC 3164, updated by RFC 5424) was the Unix standard for system logging. rsyslog and syslog-ng extended it with reliable TCP transport, filtering, and the ability to forward logs to a central server. Teams set up a "log server" that received syslog messages from all hosts, storing them in files organized by host and facility.
What It Looked Like¶
# /etc/rsyslog.conf on application servers
# Forward all logs to central server
*.* @@logserver.example.com:514
# /etc/rsyslog.conf on the log server
# Receive logs via TCP
module(load="imtcp")
input(type="imtcp" port="514")
# Store by hostname
template(name="PerHostLog" type="string"
string="/var/log/remote/%HOSTNAME%/%PROGRAMNAME%.log")
*.* ?PerHostLog
# Searching centralized logs
ssh logserver.example.com
grep "ERROR" /var/log/remote/web01/myapp.log | tail -50
# Or for all hosts:
grep -r "OutOfMemoryError" /var/log/remote/*/myapp.log
Why It Was Better¶
- One place to look instead of 20 servers
- Logs survived host failures (already forwarded to the log server)
- Filtering and routing by facility and severity
- Standard protocol supported by every Unix/Linux system
Why It Wasn't Enough¶
- Still plain text files — searching required grep
- No indexing, no full-text search
- No structured data — everything was a string
- Log server disk filled up; retention was limited
- No visualization, no dashboards, no alerting on log content
- syslog was designed for system messages, not application logs
Legacy You'll Still See¶
Syslog is still the transport mechanism for network devices (routers, switches, firewalls). rsyslog is the default logging daemon on most Linux distributions. Many organizations still forward syslog to a central server as part of a larger pipeline. If you're debugging a firewall, you're reading syslog.
Era 2: ELK Stack (Elasticsearch, Logstash, Kibana) (~2012-2018)¶
The Solution¶
The ELK stack (Elastic, 2012-2013) transformed logging from "grep through files" to "search and visualize." Logstash parsed, transformed, and shipped logs. Elasticsearch indexed them for full-text search. Kibana provided dashboards, visualizations, and an interactive query interface. For the first time, you could search all your logs from a web browser.
What It Looked Like¶
# logstash.conf — parse Apache access logs
input {
beats {
port => 5044
}
}
filter {
grok {
match => { "message" => "%{COMBINEDAPACHELOG}" }
}
date {
match => [ "timestamp", "dd/MMM/yyyy:HH:mm:ss Z" ]
}
geoip {
source => "clientip"
}
}
output {
elasticsearch {
hosts => ["elasticsearch:9200"]
index => "logs-%{+YYYY.MM.dd}"
}
}
# Kibana query (KQL)
status:500 AND service:"payment-api" AND @timestamp > now-1h
# Discover view: see matching log lines, expand for details
# Dashboard: error rate over time, top error messages, geographic distribution
Why It Was Better¶
- Full-text search across all logs, all hosts, all time periods
- Structured data: parse unstructured logs into searchable fields
- Visualizations: histograms, pie charts, line graphs, maps
- Real-time: logs appeared in Kibana within seconds
- Filebeat agent was lightweight and reliable
Why It Wasn't Enough¶
- Resource-hungry: Elasticsearch needed significant CPU, RAM, and disk
- Cluster management was complex (shard allocation, index lifecycle)
- Grok patterns for parsing were fragile and hard to debug
- Cost at scale was significant (especially Elastic's commercial features)
- Logstash was a bottleneck (replaced by Beats direct to ES in many setups)
- License changes (SSPL, 2021) fractured the community
Legacy You'll Still See¶
ELK (or the Elastic Stack) is still the most deployed log management solution. Many organizations run large Elasticsearch clusters for logs. Kibana is a daily tool for developers and ops. The OpenSearch fork (AWS) provides an alternative after the license change. If someone says "check the logs," they often mean "go to Kibana."
Era 3: Structured Logging and Log-as-Data (~2015-2020)¶
The Solution¶
The insight was simple but transformative: instead of emitting unstructured text and parsing it later, emit structured data (JSON) from the application. Libraries like logstash-logback-encoder (Java), structlog (Python), and winston (Node.js) made it easy. Every log line became a JSON object with consistent fields: timestamp, level, service, trace ID, user ID, and the message.
What It Looked Like¶
# structlog — Python structured logging
import structlog
logger = structlog.get_logger()
logger.info("order.placed",
order_id="ORD-12345",
user_id="USR-67890",
total_amount=99.99,
items=3,
payment_method="credit_card",
)
# Output (JSON):
# {"event": "order.placed", "order_id": "ORD-12345",
# "user_id": "USR-67890", "total_amount": 99.99, "items": 3,
# "payment_method": "credit_card", "timestamp": "2018-03-15T14:30:00Z",
# "level": "info", "service": "order-api"}
// winston — Node.js structured logging
const logger = winston.createLogger({
format: winston.format.json(),
transports: [new winston.transports.Console()],
});
logger.info('Request handled', {
method: 'POST',
path: '/api/orders',
status: 201,
duration_ms: 45,
trace_id: 'abc123',
});
Why It Was Better¶
- No parsing required — JSON is already structured
- Consistent fields enable reliable filtering and aggregation
- Correlation: trace ID links logs across services
- Machine-readable: log analysis tools work directly on structured data
- Developer-controlled: the application defines what's logged, not a grok pattern
Why It Wasn't Enough¶
- Requires application changes — can't retroactively structure legacy logs
- JSON logs are harder to read in a terminal (solved with human-friendly formatters)
- Inconsistent field naming across services (no standard schema initially)
- Increased log volume (JSON overhead)
- Still needed a storage and search backend (Elasticsearch, etc.)
Legacy You'll Still See¶
Structured logging is now the expected standard for new applications. JSON logging is the default format for Kubernetes (stdout is captured by the container runtime). The practice of including trace IDs in every log line is universal in distributed systems.
Era 4: Loki and Cost-Efficient Log Aggregation (~2018-2023)¶
The Solution¶
Grafana Loki (2018) challenged Elasticsearch's dominance with a radical insight: don't index the log content — just index the labels (service name, namespace, host) and store the log lines as compressed chunks. This dramatically reduced storage and operational costs. Loki used the same label model as Prometheus, making it natural for teams already using Grafana.
What It Looked Like¶
# Promtail config — ship logs to Loki
server:
http_listen_port: 9080
positions:
filename: /tmp/positions.yaml
clients:
- url: http://loki:3100/loki/api/v1/push
scrape_configs:
- job_name: kubernetes
kubernetes_sd_configs:
- role: pod
pipeline_stages:
- docker: {}
- json:
expressions:
level: level
trace_id: trace_id
- labels:
level:
trace_id:
# LogQL — Loki's query language
# All error logs from the payment service in the last hour
{service="payment-api"} |= "error" | json | level="error"
# Count errors per service
sum by (service) (count_over_time({level="error"}[5m]))
# Logs correlated with a specific trace
{trace_id="abc123def456"}
Why It Was Better¶
- 10-100x cheaper than Elasticsearch for the same log volume
- Operationally simpler: no shard management, no JVM tuning
- Same label model as Prometheus — natural fit for Grafana dashboards
- LogQL supports both filtering and metric extraction from logs
- Scales horizontally with object storage (S3, GCS) as the backend
Why It Wasn't Enough¶
- No full-text indexing — searching log content is slower than Elasticsearch
- Label cardinality limits (too many unique label values = problems)
- Less mature than Elasticsearch (fewer features, smaller community)
- Not ideal for compliance use cases requiring fast arbitrary text search
- Query performance degrades with wide time ranges
Legacy You'll Still See¶
Loki is the current standard for cost-conscious logging in Kubernetes. The Grafana + Prometheus + Loki + Tempo stack (commonly called "LGTM") is the open-source observability standard. Many organizations are migrating from Elasticsearch to Loki for cost savings.
Era 5: Observability Pipelines and Unified Telemetry (~2022-2025)¶
The Solution¶
Observability pipelines (Vector, Cribl, Fluentbit with advanced routing, OpenTelemetry Collector) sit between log sources and destinations. They parse, transform, filter, sample, and route logs — reducing volume and cost before data hits storage. Combined with OpenTelemetry's log support, logs become part of a unified telemetry pipeline alongside metrics and traces.
What It Looked Like¶
# Vector — observability pipeline
sources:
kubernetes_logs:
type: kubernetes_logs
transforms:
parse_json:
type: remap
inputs: ["kubernetes_logs"]
source: |
. = parse_json!(.message)
.environment = get_env_var("ENVIRONMENT") ?? "unknown"
filter_noise:
type: filter
inputs: ["parse_json"]
condition:
type: vrl
source: '.level != "debug"'
sample_high_volume:
type: sample
inputs: ["filter_noise"]
rate: 10 # keep 1 in 10 for high-volume services
key_field: "service"
exclude:
type: vrl
source: '.level == "error" || .level == "warn"'
sinks:
loki:
type: loki
inputs: ["sample_high_volume"]
endpoint: http://loki:3100
labels:
service: "{{ service }}"
level: "{{ level }}"
s3_archive:
type: aws_s3
inputs: ["filter_noise"] # all logs go to archive
bucket: logs-archive
compression: zstd
Why It Was Better¶
- Volume reduction: filter, sample, and aggregate before storage
- Cost control: route expensive logs to cheap storage, important logs to fast storage
- Unified pipeline: logs, metrics, and traces through the same infrastructure
- Vendor flexibility: change backends without changing application code
- Compliance: route sensitive logs to dedicated storage with different retention
Why It Wasn't Enough¶
- Another component to operate and monitor
- Pipeline configuration complexity (another YAML dialect to learn)
- Sampling means some logs are lost (acceptable for volume, not for debugging)
- Unified telemetry is aspirational — most organizations still have separate pipelines
- The "pipeline sprawl" problem mirrors the log sprawl it was meant to solve
Legacy You'll Still See¶
Observability pipelines are becoming standard in large organizations. Vector and Cribl are growing rapidly. The OpenTelemetry Collector is becoming the universal telemetry router. Fluentd/Fluentbit remain widespread in Kubernetes for log collection.
Where We Are Now¶
Most organizations use one of two stacks: Elasticsearch/Kibana for full-text search or Loki/Grafana for cost-efficient label-based logging. Structured JSON logging is the expected standard. Observability pipelines are emerging as the middle layer that controls cost and routes data. OpenTelemetry is unifying the instrumentation layer. The "three pillars" (metrics, logs, traces) are converging into a single correlated view.
Where It's Going¶
The most impactful near-term change is AI-assisted log analysis — systems that automatically identify anomalous patterns, correlate log events with metrics and traces, and surface root causes. Longer term, the distinction between "logs" and "traces" may dissolve: every event is a structured record with context, and the storage system provides whatever view you need (timeline, trace, aggregation).
The Pattern¶
Every generation of logging increases the ratio of signal to noise. From raw text files to searchable indices to structured data to sampled pipelines — each era makes it easier to find the one log line that matters among the millions that don't.
Key Takeaway for Practitioners¶
Emit structured JSON logs with consistent fields from day one. Include a trace ID in every log line. The storage and search backend will change — it already has, multiple times — but well-structured logs remain valuable regardless of which tool ingests them.
Cross-References¶
- Topic Packs: Elasticsearch, Loki, Fluentd
- Tool Comparisons: ELK vs Loki vs Datadog Logs
- Evolution Guides: Monitoring Evolution, Incident Management