CodeClarityLab / Glossary
Ctrl K
← Home ← Codex ← DEBT
Browse by Category
+ added · updated 7d
Pages
Terms of Use About Contribute 🧠Logic graph Contact
← Back to glossary

Log Aggregation (ELK/Loki)

Observability Intermediate
debt(d7/e5/b5/t5)
d7 Detectability Operational debt — how invisible misuse is to your safety net

Closest to 'only careful code review or runtime testing' (d7). The detection_hints indicate automated detection is 'no', and tools like Loki, Elasticsearch, and Filebeat only help once aggregation is set up — the absence of log aggregation (grep-across-servers debugging) is invisible until someone tries to debug a multi-service incident. No linter or static tool flags the missing setup.

e5 Effort Remediation debt — work required to fix once spotted

Closest to 'touches multiple files / significant refactor in one component' (e5). The quick_fix describes choosing a stack (Loki or ELK), configuring shipping agents (Filebeat/Promtail), converting logs to structured JSON, and setting retention policies. This is not a one-line patch — it involves infrastructure setup, log format changes across services, and agent deployment, touching multiple files and configuration layers.

b5 Burden Structural debt — long-term weight of choosing wrong

Closest to 'persistent productivity tax' (b5). Applies to web, cli, and queue-worker contexts. Once chosen, the aggregation stack (ELK vs Loki) shapes how all teams query logs, structure their JSON fields, and set retention. Switching stacks later is painful, but the choice doesn't fundamentally rewrite the system's shape — teams can still function with the wrong stack, just inefficiently.

t5 Trap Cognitive debt — how counter-intuitive correct behaviour is

Closest to 'notable trap (a documented gotcha most devs eventually learn)' (t5). The misconception is explicit: 'more log storage is always better.' Teams routinely store all debug logs at full rate, creating expensive noise. The common mistakes confirm this pattern — storing everything, not using structured logs. This is a well-documented gotcha that most teams hit once before learning to sample and structure.

About DEBT scoring → scored by claude-sonnet-4-6 · 2026-05-10 · reviewed by human

TL;DR

Log aggregation collects logs from all services into a central searchable store — ELK (Elasticsearch+Logstash+Kibana) for full-text search, Loki (Prometheus-style) for cost-efficient label-based search.

Explanation

ELK stack: Logstash/Filebeat (collect) → Elasticsearch (store+index) → Kibana (search+dashboard). Full-text indexed — any field searchable, high storage cost. Loki: Grafana's log store — only indexes labels (not content), compressed content. Much cheaper than ELK. PromQL-like LogQL. Best with structured logs (JSON). Alternatives: Datadog Logs, Splunk (expensive but powerful), CloudWatch Logs. Key capabilities: full-text search, aggregation (error count by service), dashboards, alerts on log patterns. Ship logs: Filebeat/Fluentd agent → aggregator. In PHP: Monolog with socket/HTTP handler → Logstash/Loki.

Common Misconception

More log storage is always better — logs stored but never searched are expensive waste. Store what you query; sample debug logs heavily.

Why It Matters

Centralised log aggregation transforms debugging from SSH-to-server-and-grep to sub-second search across all services — essential for microservices and autoscaling environments.

Common Mistakes

  • Not shipping logs to a central store — grep-across-servers debugging.
  • Storing all debug logs at full rate — expensive and noisy.
  • Not using structured logs — full-text search works, but JSON fields are essential for aggregation.

Code Examples

✗ Vulnerable 
# No aggregation — SSH to each server:
ssh server1 grep 'ERROR' /var/log/app.log
ssh server2 grep 'ERROR' /var/log/app.log
# 20 servers = 20 SSH sessions
✓ Fixed 
# Loki config:
- job_name: php_app
  static_configs:
    - targets: [localhost]
      labels:
        job: php-app
        env: production
  pipeline_stages:
    - json:
        expressions:
          level: level
          correlation_id: correlation_id
    - labels:
        level:
        correlation_id:

# LogQL query:
{job='php-app'} |= 'ERROR' | json | correlation_id='abc-123'
Added 23 Mar 2026
Views 53

Curated in Warsaw under one editorial standard. 1,506 terms, single voice.  About this reference →

Rate this term
No ratings yet
🤖 AI Guestbook educational data only
| |
Last 30 days
0 pings T 0 pings W 1 ping T 0 pings F 0 pings S 0 pings S 0 pings M 0 pings T 0 pings W 0 pings T 3 pings F 1 ping S 3 pings S 2 pings M 1 ping T 0 pings W 0 pings T 0 pings F 0 pings S 0 pings S 1 ping M 0 pings T 0 pings W 0 pings T 0 pings F 0 pings S 1 ping S 0 pings M 1 ping T 0 pings W
Agents 0
No pings yet today
PetalBot 1
Amazonbot 7 Scrapy 7 SEMrush 5 Ahrefs 4 Perplexity 4 Google 3 Majestic 2 Unknown AI 2 Claude 2 ChatGPT 2 Meta AI 1 PetalBot 1
Also referenced
Structured Logging 58 Prometheus Concepts 54 Correlation ID Pattern 42 Grafana & Dashboards 36
How they use it
crawler 36 crawler_json 4
Related categories
observability 1.6k
DEV INTEL Tools & Severity
🟠 High ⚙ Fix effort: High
⚡ Quick Fix
Choose Loki (cheap, Prometheus-compatible) or ELK (powerful full-text). Ship with Filebeat/Promtail. Use structured JSON logs for label extraction. Retain 30 days, archive 90.
📦 Applies To
web cli queue-worker
🔗 Prerequisites
🔍 Detection Hints
Auto-detectable: ✗ No loki elasticsearch filebeat
⚠ Related Problems
🤖 AI Agent
Confidence: Low False Positives: High ✗ Manual fix Fix: High Context: File
✓ schema.org compliant