Logging Standard

Non-Negotiables

1. Logs are production tooling. If you can’t debug with them, they are wrong.
2. Structured logs only. Free-text dumps don’t scale.
3. No secrets. Ever. Credentials in logs are security incidents.
4. One event, one log. No log spam.

Minimum Requirements (Industry Standard Baseline)

Structure

Every log entry must include (where applicable):

• timestamp
• level
• service
• env
• trace_id / correlation_id
• request_id (for HTTP)
• error.kind, error.message, error.stack (for errors)

Levels

• DEBUG: local development or targeted sampling only
• INFO: business-relevant milestones (state transitions)
• WARN: unexpected but recoverable conditions
• ERROR: failed operations that require attention
• FATAL: process cannot continue (rare)

What to Log (and what to never log)

• Log decisions and outcomes, not full payloads.
• Never log:
  • passwords, tokens, API keys
  • full credit card numbers
  • raw personal data unless explicitly approved and masked

Correlation

• Propagate correlation IDs across services.
• Include IDs in every log line for request-scoped work.

Cost Control

• Use sampling for high-volume logs.
• Avoid per-item logs in loops.

References

• OpenTelemetry logging & correlation: https://opentelemetry.io/docs/
• Google Cloud Logging best practices: https://cloud.google.com/logging/docs/audit/configure-data-access
• OWASP Logging Cheat Sheet: https://cheatsheetseries.owasp.org/cheatsheets/Logging_Cheat_Sheet.html