This set builds vocabulary for centralized log collection, parsing, and alerting workflows.
0 / 5 completed
1 / 5
At standup, a dev mentions routing application logs into a centralized platform that indexes them for fast full-text search across every service. Which practice fits?
Centralized log management collects logs from every service into one indexed platform, like Datadog, so an engineer can search across the whole system instead of SSH-ing into individual hosts to grep local files. This consolidation is essential once a system spans more than a handful of instances. It also lets logs be correlated with metrics and traces from the same platform.
2 / 5
During a design review, the team wants to extract structured fields, like status code and latency, from raw unstructured log lines automatically. Which capability supports this?
A log processing pipeline parses raw log lines into structured fields, like status code, latency, or user ID, using patterns or grok-style rules, turning free text into queryable data. This structuring makes it possible to filter, aggregate, and alert on specific fields rather than searching raw strings. Well-designed pipelines are applied consistently across all incoming log sources.
3 / 5
In a code review, a dev configures a rule so an unusual spike in error-level log volume automatically triggers an alert. What is this called?
Log-based alerting defines a monitor that watches for a pattern, like a spike in error-level volume, and automatically notifies the team when the threshold is crossed, rather than relying on someone manually noticing the spike. This automation catches issues faster than periodic manual review. It's typically layered alongside metric-based alerting for full coverage.
4 / 5
An incident report shows a costly log retention policy kept every debug-level log indefinitely, driving up storage costs with little investigative value. What practice would address this?
Tiering retention so verbose debug logs expire quickly while higher-value logs, like errors or audit events, are kept longer balances storage cost against actual investigative usefulness. Keeping everything indefinitely at full verbosity is rarely justified once volume grows. This tuning is a recurring cost-management practice in any centralized logging setup.
5 / 5
During a PR review, a teammate asks why the team pays for a centralized log platform instead of just grepping log files on each server over SSH. What is the reasoning?
SSH-ing into each host to grep local files doesn't scale once a system spans many services, while a centralized platform indexes everything for fast cross-service search and correlation with other telemetry. This tradeoff favors centralization as a system grows beyond a trivial size. The convenience comes at the cost of the platform's ingestion and storage pricing.