Live Elasticsearch Online Training starting on March 2! See all classes


Glossary

Structured Logging

Backend
A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

Definition: What Is Structured Logging?

Structured logging is the practice of logging application and server errors or access events in a well-structured and consistent format that can be easily read, searched, and analyzed by any application or an interested individual. The most common structured logging format is JSON since it is the standard message format for every message parsing between systems and within applications.

Structured vs. Unstructured vs. Semi-Structured Logs

Unstructured logs are messages in plain text containing information in a linear string however in an unstructured way. A parsing algorithm is used to structure the data and simplify searching of specific information. An unstructured log cannot easily be queried and takes more time to process. For example,

> 2022-10-07 15:15:17.721 ERROR 12345--- error in API request /v1/get courses ….

Even though this log message has everything from the timestamp to the error messages, it can be challenging to query and fetch relevant information without parsing the linear string. But on the upside, since all the information is compact, unstructured logs consume less space. You can also see multiple messages together, making the job of manual scanning easier.

Unlike an unstructured log, a structured log has messages printed in a pre-determined or custom standard that is based on your unique needs. This standard is usually in JSON and XML format as they can be easily queried and parsed. You can also easily drill down to individual parameters and aggregated values, like the count of each distinct object value, reducing the query time and resources required to perform the query. However, structured logs can take more space than unstructured logs.

In contrast to unstructured and structured logs, semi-structured logs contain both objects and strings. They are easily understood by humans and machines alike. However, their formats are not standardized, making them less convenient than standardized logs. Specific programs are required to analyze such logs. To analyze these logs programmatically, they must first be parsed into tables. Any subsequent search can then be queried easily from these tables.

Why Use Structured Logging?

Structured logging helps to overcome some of the problems associated with unstructured and semi-structured logging and makes developers’ lives easier. Here are some of the benefits of using structured logs:

  • Facilitate easy debugging of production incidents, especially when faster log analysis is required to identify the root cause and resolve the problem quickly.
  • Structured logs can have the same format even if they are produced by different sources, which improves the readability and maintainability of logs. It also improves the shareablity of the logs across multiple platforms in your toolchain that use logs.
  • Reduce the costs associated with custom software that is required to parse semi-structured or unstructured logs.
  • Since structured logging can be parsed quickly, organizations can use them for analytics and business intelligence purposes. Organizations can retrieve aggregate summaries of the logs and visualize useful information from them.
  • Modern organizations produce huge amounts of log data. You can make sense of them only by structuring the logs with the help of a log management tool. While you can build a custom tool to parse unstructured logs, these tools require more work and maintenance. However, the market is full of good solutions that come out of the box with log collection, parsing and analysis capabilities and don’t require further input from your team.

Having said that, structured logging has its own set of disadvantages. The major disadvantages of structured logs are increased size of an event and increased system requirements. When you structure a log, you increase the size of the event, which requires additional storage and processing ability.

Structured Logging Example

Structured logs are structured in a format like JSON or XML and usually contain well-defined and contextual information needed for diagnosis, including error messages and other properties like event number, hostname, timestamp, and request. As a result, structured logs can be easily read and processed, unlike unstructured logs.

Let’s see how by analyzing an example of an unstructured access log entry generated by an application server.

[15/Nov/2021:04:47:53 -0500] 192.168.56.87 [31221] [/home/menu] [2335] ERROR: record id=23434 not found in table

Even though the above log entry has all the information, trying to read the error number in this log is tedious. Some of the issues that this log message present are as follows:

  • Trying to read the error number in this log is tedious because the data in the log is randomly arranged.
  • If the order of the log data changes, the automated process designed to read this log will be impacted.
  • This log data is not human-friendly to read.

Now, let’s introduce structured logging to help clarify this message. We will change the log structure to a JSON object. The log entry could then look like the below:

{
 "hostName": "192.168.0.1",
 "pid": "31221",
 "path": "/home/menu,"
 "error_number": 2335
 "message": "ERROR: record id=23434 not found in table."
}

As you can see, fetching the error number from this structured log entry can be quick as the information is presented as key-value pairs. Therefore, structured logs are not only human-readable but also reduce mistakes when reading information from them.

Analyze Structured Logs with Log Management Tools

When you opt for structured logging, you have one of the two options – create your custom algorithm or use one of the log management tools found in the market. Whichever option you choose, the process is the same.

  1. Whenever your application generates a log message, the log message goes through a logging framework that formats and outputs the message into a file. This format can be a common one like JSON or XML. It can also be customized for your needs.
  2. Then, a log management tool captures and parses it again.
  3. Finally, the tool lets you perform further analysis on the parsed message. The analysis could be manual or augmented with business intelligence. li>

Log management tools allow you to query logs against various helpful attributes like specific time and date across multiple time zones, source and destination IP addresses, and/or timestamps. They enable faster log analysis and troubleshooting for production issues. Furthermore, you can use them to correlate logs with infrastructure and application performance metrics to derive deeper insights about the system’s bottleneck.

Another intuitive feature of log management tools is that they provide real-time log alerts by tracking logs for any anomaly. Moreover, these tools follow security best practices and adhere to compliance standards like SOC1, SOC2, and HIPAA, so you need not worry about breaching such regulations.

You can find several such solutions in the market depending on your needs. Most modern ones are fully managed in the central cloud. Hence maintaining them can be less tedious and inexpensive. If you want to adopt a logging solution, read this detailed comparison of the best log management tools available.

Sematext as a Log Management Solution

Sematext Logs is a log management tool that exposes the Elasticsearch API. You can send data using syslog or any Elasticsearch-compatible tool, such as Logstash or Filebeat. Kibana or the native Sematext Logs UI can be used to visualize the data.

Sematext’s log and service auto-discovery allows you to automatically begin monitoring logs and forwarding them from both log files and containers directly through the user interface, without additional configuration.

Sematext Logs is part of the Sematext Cloud full-stack monitoring solution, which means that it enables real-time troubleshooting on both metrics and logs, by analyzing your logs for optimal health while detecting anomalies. This means you get informed in advance of any potential issues.

Watch the video below to learn more about Sematext Logs or start your 14-day free trial, and let us know what you think!

Start free trial


See Also

Content

15 Best IT Infrastructure Monitoring Tools & Software

Find out what are the best infrastructure monitoring tools and software, both open source and paid, available today.

Read more