2nd/10_Wiki/Topics/Architecture/로그_Logs.md

id, title, category, status, canonical_id, aliases, duplicate_of, source_trust_level, confidence_score, verification_status, tags, raw_sources, last_reinforced, github_commit, tech_stack

id	title	category	status	canonical_id	aliases	duplicate_of	source_trust_level	confidence_score	verification_status	tags	raw_sources	last_reinforced	github_commit	tech_stack
wiki-2026-0508-로그-logs	로그 (Logs)	10_Wiki/Topics	verified	self	Logs Logging Application Logs	none	A	0.9	applied	observability logging sre telemetry structured-logging		2026-05-10	pending	language framework TypeScript/Go OpenTelemetry / Loki / Datadog

로그 (Logs)

매 한 줄

"매 log 는 system 의 외부 관측 가능성(observability)의 세 기둥 중 하나로 매 metric/trace 의 sibling 이며 매 high-cardinality narrative event 의 sink". 매 2026 의 표준은 structured JSON + OpenTelemetry semantic conventions + 5-level severity + sampling/aggregation pipeline.

매 핵심

매 Three pillars of observability

• Metrics: 매 numeric, low-cardinality, aggregable. (Prometheus, OTLP metrics)
• Logs: 매 textual, high-cardinality, event-narrative.
• Traces: 매 request-scoped causal chain across services.

매 Log levels (RFC 5424 + practice)

• FATAL/EMERGENCY: 매 process death imminent.
• ERROR: 매 user-facing failure or unexpected condition.
• WARN: 매 degraded state, fallback engaged.
• INFO: 매 lifecycle events (start, stop, deploy).
• DEBUG: 매 development troubleshooting.
• TRACE: 매 fine-grained step-level (rarely on in prod).

매 Structured logging (2026 default)

• JSON line format: 매 1 event = 1 line, machine-parseable.
• Required fields: timestamp (RFC3339), level, service, trace_id, span_id, message.
• OTel semantic conventions: 매 http.method, db.system, exception.type.
• PII redaction: 매 in-stream filter for compliance (GDPR/HIPAA/PCI).

매 응용

1. 매 SLO debugging: error logs + trace correlation → root cause.
2. 매 audit trail: append-only, signed, retention 7y for finance.
3. 매 anomaly detection: log pattern clustering (Drain3, LogPAI) → unknown unknowns.

💻 패턴

Structured logger (TypeScript pino)

import pino from 'pino';

export const logger = pino({
  level: process.env.LOG_LEVEL ?? 'info',
  formatters: {
    level: (label) => ({ level: label }),
    bindings: () => ({ service: process.env.SERVICE_NAME, env: process.env.NODE_ENV }),
  },
  timestamp: pino.stdTimeFunctions.isoTime,
  redact: { paths: ['*.password', '*.token', '*.creditCard'], censor: '[REDACTED]' },
});

// usage
logger.info({ userId, orderId, amountCents }, 'order placed');
logger.error({ err, requestId }, 'payment failed');

Trace correlation (OpenTelemetry)

import { trace, context } from '@opentelemetry/api';

function logWithTrace(msg: string, fields: object) {
  const span = trace.getSpan(context.active());
  const ctx = span?.spanContext();
  logger.info({
    ...fields,
    trace_id: ctx?.traceId,
    span_id: ctx?.spanId,
  }, msg);
}

Log sampling (high-volume endpoints)

function sampledLog(level: 'info'|'debug', sampleRate: number, fields: object, msg: string) {
  if (Math.random() < sampleRate) {
    logger[level]({ ...fields, sampled: true, sample_rate: sampleRate }, msg);
  }
}
// e.g. health-check endpoint at 1% sampling

PII redaction middleware

const PII_PATTERNS = [
  /\b\d{3}-\d{2}-\d{4}\b/g,                 // SSN
  /\b\d{4}-\d{4}-\d{4}-\d{4}\b/g,           // credit card
  /\b[\w.+-]+@[\w-]+\.[\w.-]+\b/g,          // email
];

function redactPII(s: string): string {
  return PII_PATTERNS.reduce((acc, re) => acc.replace(re, '[REDACTED]'), s);
}

Append-only audit log

interface AuditEvent {
  id: string;             // ULID for time-ordering
  actor: string;
  action: string;
  resource: string;
  before?: unknown;
  after?: unknown;
  timestamp: string;      // ISO8601
  hashChainPrev: string;  // tamper-evident chain
  hashChainCurrent: string;
}

function appendAudit(prev: AuditEvent | null, event: Omit<AuditEvent, 'hashChainCurrent'|'hashChainPrev'|'id'>) {
  const id = ulid();
  const prevHash = prev?.hashChainCurrent ?? '0'.repeat(64);
  const payload = JSON.stringify({ id, prevHash, ...event });
  const currentHash = sha256(payload);
  return { id, hashChainPrev: prevHash, hashChainCurrent: currentHash, ...event } as AuditEvent;
}

Log aggregation pipeline

# fluent-bit.conf
[SERVICE]
    Flush 1
    Daemon off
[INPUT]
    Name tail
    Path /var/log/app/*.log
    Parser json
[FILTER]
    Name kubernetes
    Match *
    Merge_Log On
[OUTPUT]
    Name loki
    Match *
    Url https://loki.example.com/loki/api/v1/push
    Labels {job="app", env="prod"}

Log-based alert (Loki LogQL)

sum by (service) (
  rate({env="prod", level="error"} | json | err_type != "ClientError" [5m])
) > 1

Drain3 log clustering (anomaly detection)

from drain3 import TemplateMiner
miner = TemplateMiner()
for line in stream:
    res = miner.add_log_message(line)
    # res['change_type'] in ['cluster_created','cluster_template_changed','none']
    if res['change_type'] == 'cluster_created':
        alert(f"new log pattern: {res['template_mined']}")

매 결정 기준

상황	Approach
모든 service	Structured JSON + trace correlation
고볼륨 endpoint	Sampling (1-10% INFO/DEBUG)
금융/헬스케어	Append-only audit + PII redaction + 7y retention
Distributed system	OTel + centralized Loki/CloudWatch/Datadog
Local dev	Pretty-printed + DEBUG level

기본값: 매 JSON + ISO time + level + service + trace_id + message + structured fields.

🔗 Graph

• 부모: Observability
• 변형: Append-only log · Structured Logging
• 응용: 스택_트레이스(Stack_trace) · Logging_Diagnostics · Architecture Erosion (아키텍처 침식)
• Adjacent: OpenTelemetry · Distributed Tracing · 비기능 요구사항 (Non-functional Requirements)

🤖 LLM 활용

언제: 매 log schema design, redaction rule draft, log-based alert query, log clustering for unknown patterns, postmortem timeline reconstruction. 언제 X: 매 raw log content with PII (privacy), 매 customer-attributable narrative without aggregation.

❌ 안티패턴

• String concat logging: 매 "user " + id + " did " + x → grep-only, no fields.
• Log everything DEBUG in prod: 매 cost 폭증 + signal-to-noise 0.
• PII in logs: 매 password/SSN/credit card untouched → instant breach.
• No retention policy: 매 7-year retention for trivial DEBUG → storage runaway.
• Logs as primary metric: 매 count error logs → use metrics; logs are narrative.
• Blocking sync logging: 매 disk fsync per log → throughput 폭락. Use async batch.

🧪 검증 / 중복

• Verified (OpenTelemetry Logs spec v1.31, Google SRE Book Ch.6 "Monitoring Distributed Systems", RFC 5424).
• 신뢰도 A.

🕓 Changelog

날짜	변경
2026-05-08	Phase 1
2026-05-10	Manual cleanup — structured logging + OTel + audit + redaction patterns