Skip to content

Distributed Logging — Detailed#

flowchart TB
  subgraph Sources
    APPS[Apps / sidecars]
    INFRA[Infra logs: nginx, syslog]
    K8S[Kubernetes containers]
    AUDIT[Security audit]
  end

  subgraph Agents[Agents per host]
    FB[Fluent Bit / Filebeat / Vector]
    REDACT[PII redaction]
    SAMPLE[Sampling]
    PARSE[Light parse]
  end

  subgraph Bus[Buffer]
    KAFKA[[Kafka topics<br/>per environment]]
    DLQ[[(Parse-failure DLQ)]]
  end

  subgraph Ingest
    PIPE([Logstash / Vector aggregator])
    GROK[Grok / regex parse]
    ENRICH[GeoIP / k8s metadata enrich]
    SCHEMA[Schema enforcement]
  end

  subgraph Storage[Storage]
    ES[(Hot index 7d)]
    COLD[(Warm 30d - frozen tier)]
    S3[(S3 long-term)]
    LOKI[Loki - label-index store option]
  end

  subgraph Query
    KIB[Kibana / Grafana / Splunk UI]
    ALERT[Alerting rules]
    DASH[Dashboards]
  end

  subgraph Ops
    AUTH[AuthN / multi-tenant]
    BILL[Per-team quotas + chargeback]
    RETN[Retention policy]
  end

  Sources --> Agents --> Bus --> Ingest --> Storage --> Query
  Ingest --> DLQ
  Ops --- Storage

    classDef client fill:#dbeafe,stroke:#1e40af,stroke-width:1px,color:#0f172a;
    classDef edge fill:#cffafe,stroke:#0e7490,stroke-width:1px,color:#0f172a;
    classDef service fill:#fef3c7,stroke:#92400e,stroke-width:1px,color:#0f172a;
    classDef datastore fill:#fee2e2,stroke:#991b1b,stroke-width:1px,color:#0f172a;
    classDef cache fill:#fed7aa,stroke:#9a3412,stroke-width:1px,color:#0f172a;
    classDef queue fill:#ede9fe,stroke:#5b21b6,stroke-width:1px,color:#0f172a;
    classDef compute fill:#d1fae5,stroke:#065f46,stroke-width:1px,color:#0f172a;
    classDef storage fill:#e5e7eb,stroke:#374151,stroke-width:1px,color:#0f172a;
    classDef external fill:#fce7f3,stroke:#9d174d,stroke-width:1px,color:#0f172a;
    classDef obs fill:#f3e8ff,stroke:#6b21a8,stroke-width:1px,color:#0f172a;
    class INFRA edge;
    class APPS,K8S,AUDIT,FB,REDACT,SAMPLE,PARSE,GROK,ENRICH,SCHEMA,AUTH,BILL,RETN service;
    class DLQ,ES,COLD datastore;
    class KAFKA queue;
    class PIPE compute;
    class S3 storage;
    class LOKI,KIB,ALERT,DASH obs;

Glossary & fundamentals#

Concepts referenced in this design. Each row links to its canonical page; the tag column shows whether it is a high-level (HLD) or low-level (LLD) concept.

Tag Concept What it is Page
HLD Load balancer / GSLB L4/L7 traffic distribution and failover load-balancer
HLD Pub/Sub & message brokers topics, consumer groups, delivery semantics pub-sub-pattern
HLD Observability metrics, logs, traces, SLOs observability
HLD Service mesh sidecar mesh, mTLS, traffic policy service-mesh