Most production systems have logs. Few have observability. The distinction matters most at exactly the moment when it matters most: during an incident, when something has gone wrong in a way nobody anticipated, and the question is not 'what did the system record?' but 'why is it in this state?'
Logging is a prerequisite for observability, not a synonym for it. A system with extensive logs but no way to correlate them, aggregate them into meaningful signals, or ask arbitrary questions about system behaviour has records of events but not observability. The difference becomes apparent when you're diagnosing a failure mode that wasn't anticipated.
Building genuinely observable systems requires deliberate investment in three distinct capabilities, plus a clear understanding of what each one gives you and what it does not.
What logs give you, and what they don't
Logs give you a record of discrete events: a request was received, a database query ran, an exception was caught. They are invaluable for reconstructing what happened after the fact, for compliance purposes, and for diagnosing known failure modes your team anticipated and wrote logging for.
What logs don't give you is the ability to understand failure modes you didn't anticipate. An unstructured log file from a system under unexpected load tells you that many things happened and some of them failed. It doesn't tell you that the p99 latency on a specific database query increased by 400% starting at 14:23, that this correlated with a deployment that changed the query plan, and that the effect was isolated to one database replica. Discovering this from logs alone requires knowing what to look for before you start looking.
This is the fundamental limitation of logs as a primary observability tool. Production systems fail in ways their builders did not predict. The investigation capability you need is the ability to ask arbitrary questions about system behaviour, including questions nobody anticipated when the logging was written.
Metrics: the signals that tell you something is wrong
Metrics aggregate measurements over time into signals that can be monitored, alerted on, and compared across time periods. Unlike logs, which record discrete events, metrics record rates, distributions, and gauges. That is the kind of data that tells you whether the system is behaving normally or not.
The metrics that matter in production are almost never the infrastructure ones. CPU utilisation and memory usage are technically interesting, but they are not what the business cares about. The metrics that matter are business level: orders processed per minute, payment success rate, document processing queue depth, API response time at the 99th percentile. When these move unexpectedly, something is wrong, regardless of what the infrastructure metrics show.
Good metrics design starts from the question 'what does healthy look like?' and defines signals that distinguish healthy from unhealthy. It then adds the infrastructure metrics that help diagnose why health has degraded. This ordering is important: alerting on CPU at 80% is noise. Alerting on payment success rate dropping below 99% is a business problem.
Distributed tracing: correlating across service boundaries
In a system with multiple services, a single user request may touch six different services before producing a response. When that request is slow or fails, knowing that the failure happened is much less useful than knowing which service was the bottleneck, and at what point in the call chain the problem occurred.
Distributed tracing instruments the passage of a request through the system, attaching a trace identifier that persists across service calls. Each service records its portion of the work with timing and context. The result is a complete picture of how a specific request moved through the system: where the time was spent, where errors occurred, and what the state of each service was when it handled that particular request.
For systems that have grown past a single service, distributed tracing changes the diagnostic question from 'which of our ten services is causing this?' to 'here is exactly what happened with this request, in sequence, across all services.' The difference in time-to-diagnosis is measured in hours, not minutes.
Alerting that works versus alerting that's ignored
Alert fatigue is one of the most predictable outcomes of a monitoring implementation that wasn't designed carefully. A team that receives dozens of alerts per day, most of which resolve themselves or don't require action, quickly learns to ignore the alert channel. When the alert that matters arrives, it gets missed.
Effective alerting has two properties: it fires on things that require human attention, and it doesn't fire on things that don't. This requires setting alert thresholds based on actual system behaviour rather than theoretical limits, distinguishing between transient spikes and sustained degradation, and routing different severity levels to different channels with different expectations about response time.
The test of an alerting system is whether on call engineers trust it. A team that has confidence that an alert means something is wrong, and that silence means things are fine, will respond to alerts promptly and take them seriously. A team that has been conditioned by false positives will add latency to every response, which is exactly the wrong behaviour during an incident.
Structured logging as the foundation
The prerequisite for useful log analysis is structured logs. Unstructured log lines, usually strings of text written by developers for debugging purposes, are difficult to aggregate, impossible to query programmatically, and resist the indexing that makes logs searchable at scale.
Structured logs are machine-readable records that capture the same information as unstructured logs but in a format that can be indexed, queried, and correlated. A request log that records the user ID, the endpoint, the response code, the response time, and the trace identifier as separate fields can be aggregated to show response time distribution by endpoint, correlated with error rates, and joined to the distributed trace for a slow request.
The investment in structured logging pays back every time someone has to diagnose something in production. Teams that have it can answer 'what's the error rate for this user population over the last 24 hours?' in seconds. Teams that don't can answer the same question in hours, if they can answer it at all.
Observable systems fail more gracefully and recover faster
The goal of observability is not to prevent all failures. It is to ensure that when failures happen, the team can understand them quickly and fix them correctly. A system that fails in an understood way, where the cause is apparent and the fix is clear, is fundamentally less risky than one that fails mysteriously.
The investment in observability is operational insurance. Like all insurance, its value is most obvious when it is needed. Unlike most insurance, it also improves daily operations by giving teams confidence in what the system is actually doing.
More in this series
- The Difference Between a Demo and Production Software
- Why Software Gets Rebuilt Every Five Years and How to Avoid It
- Audit Ready by Design: Building Software That Passes Every Review
- Observability Is Not the Same as Logging
- The Real Cost of Technical Debt in Operational Systems
- Deployment Patterns for Business Critical Systems
- How to Design Software That Scales Without a RewriteComing soon
- Production Readiness Checklist: 12 Things Most Teams SkipComing soon
- Graceful Degradation: What Happens When Part of Your System FailsComing soon