|
1 | 1 | # The Three Pillars of Observability |
2 | 2 |
|
3 | | -Logs, metrics, and traces are often known as the three pillars of observability. |
| 3 | +Observability refers to the ability to understand a system’s internal state based on the telemetry data it produces. Modern distributed and cloud-native systems are highly complex, making it difficult to diagnose issues without comprehensive visibility. To achieve such visibility, observability platforms rely primarily on three types of telemetry data—**metrics**, **logs**, and **traces**—often referred to as the _three pillars of observability_. |
4 | 4 |
|
5 | | -> Distributed Systems Observability by Cindy Sridharan (Chapter 4) |
| 5 | +## Overview |
6 | 6 |
|
7 | | -## Event logs |
| 7 | +In observability: |
8 | 8 |
|
9 | | -- An event log is an immutable, timestamped record of discrete events that happened over time. Event logs in general come in three forms but are fundamentally the same: a timestamp and a payload of some context. The three forms are: |
| 9 | +- **Metrics** provide quantitative views of system performance over time. |
| 10 | +- **Logs** are detailed, timestamped records of discrete events. |
| 11 | +- **Traces** map the progression of individual requests across system components. |
10 | 12 |
|
11 | | - - Plaintext: A log record might be free-form text. This is also the most common format of logs. |
12 | | - - Structured: Much evangelized and advocated for in recent days. Typically, these logs are emitted in the JSON format. |
13 | | - - Binary: Think logs in the Protobuf format, MySQL binlogs used for replication and point-in-time recovery, systemd journal logs, the pflog format used by the BSD firewall pf that often serves as a frontend to tcpdump. |
| 13 | +Each pillar addresses different questions about system behavior and, when used together, they enable teams to identify, investigate, and resolve issues efficiently. |
14 | 14 |
|
15 | | -- Traces and metrics are an abstraction built on top of logs that pre-process and encode information along two orthogonal axes, one being request-centric (trace), the other being system-centric (metric). |
| 15 | +## Definitions and Key Characteristics |
16 | 16 |
|
17 | | -### The Pros and Cons of Logs |
| 17 | +### Event Logs |
18 | 18 |
|
19 | | -> Pros |
| 19 | +Logs are immutable records of specific events that occur within a system. They typically include a timestamp and contextual data such as transaction IDs, IP addresses, error details, and configuration changes. Logs exist in different formats: |
20 | 20 |
|
21 | | -- The easiest to generate. The fact that a log is just a string or a blob of JSON or typed key-value pairs makes it easy to represent any data in the form of a log line. |
22 | | -- Logs perform really well in terms of surfacing highly granular information pregnant with rich local context. |
| 21 | +- **Plaintext:** simple text messages. |
| 22 | +- **Structured:** typically JSON with explicit fields. |
| 23 | +- **Binary:** such as Protobuf or system journal formats. |
23 | 24 |
|
24 | | -> Cons |
| 25 | +**Strengths** |
25 | 26 |
|
26 | | -- The performance: the default logging libraries of many languages and frameworks are not the cream of the crop, which means the application as a whole becomes susceptible to suboptimal performance due to the overhead of logging. |
27 | | -- Log messages can also be lost unless one uses a protocol like [RELP](https://en.wikipedia.org/wiki/Reliable_Event_Logging_Protocol) to guarantee reliable delivery of messages. |
28 | | -- Logging excessively has the capability to adversely affect application performance as a whole. This is exacerbated when the logging isn't asynchronous and request processing is blocked while writing a log line to disk or stdout. |
| 27 | +- Provide rich local context and detailed insight into what happened. |
| 28 | +- Easy to generate and capture in most systems. |
29 | 29 |
|
30 | | -## Metrics |
| 30 | +**Limitations** |
31 | 31 |
|
32 | | -- Metrics are a numeric representation of data measured over intervals of time. |
33 | | -- Since numbers are optimized for storage, processing, compression and retrieval, metrics enable longer retention of data as well as easier quering. |
| 32 | +- Excessive logging can affect performance and create noise. |
| 33 | +- Log aggregation and querying at scale can be resource-intensive. |
34 | 34 |
|
35 | | -### The anatomy of modern metric |
| 35 | +### Metrics |
36 | 36 |
|
37 | | -- One of the biggest drawbacks of historical time-series databases has been the _identification_ of metrics that didn't lend itself very well to exploratory analysis or filtering. |
38 | | -- A metric is identified using both the metric name and the labels (additional key-value pairs). |
| 37 | +Metrics are numerical representations of system performance measured over intervals of time. They enable trend analysis and performance monitoring. Common examples include CPU usage, memory utilization, latency, throughput, and error rates. |
39 | 38 |
|
40 | | -### Advantages of metrics over event logs |
| 39 | +**Strengths** |
41 | 40 |
|
42 | | -- Metric transfer and storage has a constant overhead. Unlike logs, the cost of metrics doesn't increase in lockstep with user traffic or any other system activity that could result in a sharp uptick in data. |
43 | | -- Metrics, once collected, are more malleable to mathematical, probabilistic, and statistical transformations such as sampling, aggregation, summarization, and correlation. |
44 | | -- Metrics are also better suited to trigger alerts, since running queries against an in-memory, time-series database is far more efficient, not to mention more reliable, than running a query against a distributed system like Elasticsearch and then aggregating the results before deciding if an alert needs to be triggered |
| 41 | +- Efficient to store, process, and query, especially in time-series databases. |
| 42 | +- Useful for alerting based on thresholds and for capacity planning. |
45 | 43 |
|
46 | | -### The drawbacks of metrics |
| 44 | +**Limitations** |
47 | 45 |
|
48 | | -- System scoped, making it hard to understand anything else other than what's happening inside a particular system. |
49 | | -- With logs without fancy joins, a single line doesn’t give much information about what happened to a request across all components of a system. While it’s possible to construct a system that correlates metrics and logs across the address space or RPC boundaries, such systems require a metric to carry a UID as a label. -> overwhelm time-series databases. |
| 46 | +- Metrics lack detailed context about individual events or causal chains. |
| 47 | +- High-resolution metrics can still produce large volumes of data. |
50 | 48 |
|
51 | | -## Tracing |
| 49 | +### Traces |
52 | 50 |
|
53 | | -- A trace is representation of a series of causally related distributed events that encode the end-to-end request flow through distributed system. |
54 | | -- The basic idea behind tracing is identify specific points (function calls or RPC boundatries or segments of concurrency such as threads, continuations, or queues) in an application, proxy, framework, library, runtime, middleware, and anything else in the path of a request that represents the following: |
55 | | - - Forks in execution flow (OS thread or a green thread) |
56 | | - - A hop or a fan out across network or process boundaries |
57 | | -- Having an understanding of the entire request lifecycle makes it possible to debug requests spanning multiple services to pinpoint the source of increased latency or resource utilization. |
58 | | -- The use cases of distributed tracing are myriad. While used primarily for inter service dependency analysis, distributed profiling, and debugging steady-state problems, tracing can also help with chargeback and capacity planning. |
| 51 | +Traces represent the path and lifecycle of a request as it travels across components in a distributed system. They record causally related events and capture timing, dependencies, and the order of operations. Distributed tracing is especially important in microservices environments. |
59 | 52 |
|
60 | | -### The Challenges of Tracing |
| 53 | +**Strengths** |
61 | 54 |
|
62 | | -- Tracing is, by far, the hardest to retrofit into an existing infrastructure, because for tracing to be truly effective, every component in the path of a request needs to be modified to propagate tracing information. |
63 | | -- The second problem with tracing instrumentation is that it’s not sufficient for developers to instrument their code alone. |
64 | | -- The cost of tracing isn’t quite as catastrophic as that of logging, mainly because traces are almost always sampled heavily to reduce runtime overhead as well as storage costs. |
| 55 | +- Illustrate where and how a request flows through the architecture. |
| 56 | +- Help pinpoint performance bottlenecks and dependencies. |
65 | 57 |
|
66 | | -### Service Meshes: A new hop for the future |
| 58 | +**Limitations** |
67 | 59 |
|
68 | | -While tracing has been difficult to implement, the rise of [service meshes](https://blog.buoyant.io/2017/04/25/whats-a-service-mesh-and-why-do-i-need-one/) make integrating tracing functionality almost effortless. [Data planes](https://blog.envoyproxy.io/service-mesh-data-plane-vs-control-plane-2774e720f7fc) of service meshes implement tracing and stats collections at the proxy level, which allows one to treat individual services as blackboxes but still get uniform and thorough observability into the mesh as a whole. Applications that are a part of the mesh will still need to forward headers to the next hop in the mesh, but no additional instrumentation is necessary. |
| 60 | +- Requires instrumentation across all services involved in the request path. |
| 61 | +- Can be complex to implement and manage at scale. |
69 | 62 |
|
70 | | -## Conclusion |
| 63 | +## Comparative Overview |
| 64 | + |
| 65 | +| Pillar | Primary Focus | Typical Use Cases | |
| 66 | +| ------- | ------------------------- | ------------------------------------------- | |
| 67 | +| Metrics | “What” is happening | High-level performance dashboards, alerting | |
| 68 | +| Logs | “Why” it happened | Error diagnostics, root cause analysis | |
| 69 | +| Traces | “Where/How” requests flow | Distributed request path analysis | |
| 70 | + |
| 71 | +Each pillar provides a piece of the overall picture. Metrics quickly surface anomalies, logs reveal detailed context, and traces connect events across systems for end-to-end insight. |
| 72 | + |
| 73 | +## Advantages and Limitations (Merged Insights) |
| 74 | + |
| 75 | +### Logs |
| 76 | + |
| 77 | +**Advantages** |
| 78 | + |
| 79 | +- Highly detailed and flexible. |
| 80 | +- Can capture arbitrary event context. |
| 81 | + |
| 82 | +**Limitations** |
| 83 | + |
| 84 | +- Potential performance overhead during collection. |
| 85 | +- Noise and storage costs can be significant. |
| 86 | + |
| 87 | +### Metrics |
| 88 | + |
| 89 | +**Advantages** |
| 90 | + |
| 91 | +- Scalable for long-term trend analysis. |
| 92 | +- Efficient alerting and aggregation. |
| 93 | + |
| 94 | +**Limitations** |
71 | 95 |
|
72 | | -- Logs, metrics, and traces serve their own unique purpose and are complementary. In unison, they provide maximum visibility into the behavior of distributed systems. For example, it makes sense to have the following: |
| 96 | +- Metrics alone do not reveal causality or detailed event context. |
73 | 97 |
|
74 | | - - A counter and log at every major entry and exit point of a request |
75 | | - - A log and trace at every decision point of a request |
| 98 | +### Traces |
| 99 | + |
| 100 | +**Advantages** |
| 101 | + |
| 102 | +- Critical for understanding distributed systems. |
| 103 | +- Reveals dependency interactions. |
| 104 | + |
| 105 | +**Limitations** |
| 106 | + |
| 107 | +- Complexity of instrumentation and data management. |
| 108 | + |
| 109 | +## How the Three Pillars Work Together |
| 110 | + |
| 111 | +Observability is most effective when metrics, logs, and traces are correlated and analyzed in tandem: |
| 112 | + |
| 113 | +1. **Metrics** surface potential issues via trends and thresholds. |
| 114 | +2. **Traces** reveal where problems occur within distributed workflows. |
| 115 | +3. **Logs** provide the detailed context needed to diagnose root causes. |
| 116 | + |
| 117 | +Together, these data sources give engineering teams a **holistic, context-rich, and actionable view** of system behavior. |
| 118 | +## Beyond the Three Pillars |
| 119 | + |
| 120 | +Although metrics, logs, and traces are the foundational telemetry signals for observability, some frameworks emphasize **additional supporting capabilities** such as: |
| 121 | + |
| 122 | +- **Context:** environmental and topological metadata that enriches telemetry. |
| 123 | +- **Correlation:** linking disparate signals for comprehensive analysis. |
| 124 | +- **Alerting:** proactive notification of anomalies. |
| 125 | +- **Profiling:** capturing detailed execution state for deep diagnostics. |
| 126 | + |
| 127 | +These elements are often integrated with the three pillars to enhance overall observability effectiveness. |
| 128 | + |
| 129 | +## Conclusion |
76 | 130 |
|
77 | | -- It also makes sense to have all three semantically linked such that it becomes possible at the time of debugging: |
78 | | - - To reconstruct the codepath taken by reading a trace |
79 | | - - To dervive request or error ratios from any single point in the codepath |
| 131 | +The three pillars—**metrics**, **logs**, and **traces**—form the core telemetry foundation of observability in modern distributed systems. Each provides distinct insights into system behavior, and when combined, they enable fast detection, analysis, and resolution of operational issues across complex architectures. |
0 commit comments