Logging Pipeline — Tiered Observability Platform

The logging and observability pipeline is a critical system design interview topic because every production system at scale depends on reliable log collection, search, and retention. The core challenge is ingesting an enormous volume of log data from millions of distributed agents, indexing it for fast search, and retaining it cost-efficiently for years. At companies like Datadog, Splunk, and Elastic, the logging infrastructure is often the most expensive and operationally complex system in the entire stack.

At production scale, a platform serving thousands of microservices generates 100 million log lines per second at peak. Each log line must be parsed (structured JSON or unstructured text with grok patterns), enriched with metadata (service name, host, trace ID), and indexed for full-text search. Engineers expect to search recent logs (last 7 days) in under 5 seconds and historical logs (up to 7 years for compliance) within 60 seconds. The daily data volume can reach 10 petabytes, making it economically impossible to keep all data in an expensive indexed tier.

The problem demands a tiered storage architecture where hot data (7 days) lives in a fast, indexed search engine like Elasticsearch, while cold data lives in cheap object storage like S3 in compressed columnar format. The transition between tiers must be automated, reliable, and transparent to users. Additionally, the pipeline must support real-time dashboard metrics (error rates, p99 latencies, throughput by service) without hammering the search index on every dashboard refresh.

This template models the complete observability pipeline: agent-based log collection, Kafka buffering for burst absorption, parser workers for enrichment and indexing, Elasticsearch hot tier for fast search, S3 cold tier for long-term retention, rolloff workers for automated tier transitions, and a Redis metrics cache for real-time dashboards.

The logging pipeline architecture implements a tiered storage pattern that balances search performance against storage cost at petabyte scale. The ingest path begins with log agents running on millions of hosts, streaming batched log lines via gRPC to an NLB (Network Load Balancer chosen for ultra-high-throughput L4 routing at 100K batches per second). The NLB distributes traffic to an IngestService fleet (30 pods) that validates the batch, stamps it with tenant_id and ingest_timestamp, and publishes to IngestStream (Kafka with 256 partitions for massive parallelism). The ingest endpoint returns 200 immediately, making log collection fully asynchronous.

ParserWorker (100 instances) consumes from Kafka, parses structured (JSON) and unstructured (grok/regex) log lines, enriches them with metadata such as service name and trace_id, computes sliding-window aggregations for the metrics cache, and bulk-indexes into the IndexDB (OpenSearch/Elasticsearch with 64 shards, 2 replicas, and per-tenant indices for isolation). The hot tier retains 7 days of fully indexed data, enabling sub-5-second full-text search across billions of documents using inverted indices.

The query path is separated from ingest to prevent log volume from affecting search latency. Engineers send search queries through an API Gateway (with per-tenant rate limiting) to SearchService (15 pods). For recent queries, SearchService queries the hot tier in Elasticsearch at approximately 500ms p99. For historical queries beyond 7 days, it queries ArchiveStore (S3 with Parquet files) using S3 Select at approximately 30 seconds p99. Dashboard reads hit the MetricsCache (Redis 6-node cluster) for pre-computed aggregations in approximately 2ms.

RolloffWorker (20 instances) continuously migrates expired data from the hot tier to the cold tier, compressing log data into Parquet format and writing to S3. Standard-IA storage handles the first 90 days at approximately $0.0125/GB/month, and Glacier handles long-term retention at approximately $0.004/GB/month. This tiered approach reduces storage cost by 100x compared to keeping everything in Elasticsearch.