Clarify logs vs events vocabulary and usage #2863
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -17,6 +17,8 @@ aliases: [/docs/reference/specification/logs/overview] | |
| - [OpenTelemetry Solution](#opentelemetry-solution) | ||
| - [Log Correlation](#log-correlation) | ||
| - [Events and Logs](#events-and-logs) | ||
| * [OpenTelemetry Event Definition](#opentelemetry-event-definition) | ||
| * [FAQ](#faq) | ||
| - [Legacy and Modern Log Sources](#legacy-and-modern-log-sources) | ||
| * [System Logs](#system-logs) | ||
| * [Infrastructure Logs](#infrastructure-logs) | ||
|
|
@@ -124,10 +126,10 @@ languages have established standards for using particular logging libraries. For | |
| example in Java world there are several highly popular and widely used logging | ||
| libraries, such as Log4j or Logback. | ||
|
|
||
| OpenTelemetry defines [Events](#events-and-logs) as a type of LogRecord with | ||
| specific characteristics. This definition is not ubiquitous across existing | ||
| libraries and languages. In some logging libraries, producing events aligned | ||
| with the OpenTelemetry Event definition is clunky or error-prone. | ||
|
|
||
| There are also countless existing prebuilt applications or systems that emit | ||
| logs in certain formats. Operators of such applications have no or limited | ||
|
|
@@ -208,15 +210,106 @@ Wikipedia’s [definition of log file](https://en.wikipedia.org/wiki/Log_file): | |
| >In computing, a log file is a file that records either events that occur in an | ||
| >operating system or other software runs. | ||
|
|
||
| From OpenTelemetry's perspective logs and events conceptually are not different. Both | ||
|
There was a problem hiding this comment. This PR seems to be focusing on
There was a problem hiding this comment. @svrnm I wish to get your opinion here from the documentation perspective. There was a problem hiding this comment. imho, There was a problem hiding this comment. The method to add a span event/log is called
My opinion: From a documentation perspective the key point is being conscious about that potential confusion and give end-user guidance here by being transparent and sharing the thought process that went into things, even if it boils down to "today we would call it Span Log, but we had called it Span Event in the past and we don't want breaking changes, so we have to live with that" There was a problem hiding this comment. I think we made a mistake when we renamed I have concern that using the term There was a problem hiding this comment. I also think this vocabulary update should include something about span events and feel having Log Event, Log Record, Span Event will lead to confusion. The best alternative I could come up with for Log Event is Report, but I also like SemanticLogRecord, it is clearer what it actually is with no definition required. |
||
| are represented using the same [LogRecord data model](./data-model.md). | ||
|
|
||
| ### OpenTelemetry Event Definition | ||
|
|
||
| OpenTelemetry defines **OpenTelemetry Events** as LogRecords that are shaped | ||
| in a special way: | ||
|
|
||
| - They have a LogRecord attribute `event.name` (and possibly other LogRecord attributes). | ||
| - They have an InstrumentationScope with a non-empty `Name` and with an | ||
| InstrumentationScope attribute `event.domain` (and possibly other InstrumentationScope attributes). | ||
|
|
||
| Within a particular `event.domain`, the `event.name` uniquely defines a particular class | ||
| or type of OpenTelemetry Event. OpenTelemetry Events with the same `event.domain` / | ||
| `event.name` follow the same schema which assists in analysis in observability platforms. | ||
| See also OpenTelemetry Event [semantic conventions](./semantic_conventions/events.md). | ||
|
There was a problem hiding this comment. Will discuss this more in the SIG call tomorrow, but I feel we should just say Events are LogRecords with these two attributes. We happened to keep the Can you also take a look at the changes to ./semantic_conventions/events.md in my PR #2848? There was a problem hiding this comment.
I think you are making an assumption that is not necessarily true for all backends, maybe it is true for some. |
||
|
|
||
| Note: in this specification we use capitalized word "Event" as a shorthand for | ||
| OpenTelemetry Event. When referring to the generic concept of events this specification | ||
| may use the word "event" (both in logging section and other sections, e.g. in metrics | ||
| section). This is not to be confused with the capitalized Event that has a precise | ||
| definition described above. When there is a confusion possible we will always use | ||
| fully qualified concept name: **OpenTelemetry Event**. | ||
|
|
||
| To avoid confusion we highly recommend to use the generic word "logs" when referring to | ||
| logs and events that are not OpenTelemetry Events. | ||
|
|
||
| OpenTelemetry also defines an [API]( | ||
| https://github.com/open-telemetry/opentelemetry-specification/blob/main/specification/logs/api.md#emit-event) | ||
| that helps to emit LogRecords that are shaped as OpenTelemetry Events. | ||
|
|
||
| ### FAQ | ||
|
|
||
| **What is OpenTelemetry Event?** | ||
|
|
||
| It is a specially shaped LogRecord. See [OpenTelemetry Event Definition](#opentelemetry-event-definition). | ||
tigrannajaryan marked this conversation as resolved.
Show resolved
Hide resolved
|
||
|
|
||
| **How are events and logs different?** | ||
|
|
||
| They are not. The words "events" and "logs" are synonyms. We prefer the word "logs" | ||
| when referring to generic log and event data. | ||
|
|
||
| **Who produces OpenTelemetry Events?** | ||
|
|
||
| OpenTelemetry Events are produced using OpenTelemetry Events API. | ||
|
There was a problem hiding this comment. Do we want to limit the source of the events to OpenTelemetry Events API only? Can't we have OTel collector to fetch events from another event source? |
||
|
|
||
| **Why do OpenTelemetry Events exist as a concept?** | ||
|
|
||
| OpenTelemetry Events are a class of events designed within OpenTelemetry community | ||
| or in compliance with OpenTelemetry recommendations. OpenTelemetry Events have a | ||
| particular shape of data that OpenTelemetry believes is beneficial for designers of | ||
| events structure to adopt. | ||
|
|
||
| **What are the reasons OpenTelemetry Events have an `event.domain` Scope attribute?** | ||
|
|
||
| There are 2 reasons: | ||
|
|
||
| 1. The `event.domain` Scope attribute isolates groups (domains) of Events designed by different | ||
| people. Any decisions about the choice of attribute names and other decisions | ||
| about the shape of the LogRecord made by designers of Events in a particular domain have | ||
| no impact on the design of events in another domain. | ||
| In other words, the `event.domain` attribute allows different groups of people to | ||
| independently make choices about Event representation in their domain of expertise | ||
| without worrying that their choices will impact people who design Events | ||
| in some other domain of expertise. | ||
|
|
||
| 2. The `event.domain` Scope attribute can be used for efficient routing and filtering | ||
| decision for a batch of LogRecords that belong to the particular domain. This is enabled | ||
| by the design of OTLP protocol which [groups the LogRecords by a Scope]( | ||
| https://github.com/open-telemetry/opentelemetry-proto/blob/724e427879e3d2bae2edc0218fff06e37b9eb46e/opentelemetry/proto/logs/v1/logs.proto#L64) | ||
| on the wire. | ||
|
|
||
| **I have a non-OpenTelemetry data source that produces events (e.g. Windows Events). | ||
| Should I make sure they are shaped like OpenTelemetry Events when used with OpenTelemetry | ||
| software (e.g. inside OpenTelemetry Collector)?** | ||
|
|
||
| Not necessarily. Just because the data in an external data source is called an "event" it | ||
| does not mean it automatically qualifies as an OpenTelemetry Event and must be shaped like | ||
| an OpenTelemetry Event. | ||
|
There was a problem hiding this comment. It will be very helpful to include guidance on when to produce Events vs Logs, and that I think is based on the expectations of the backend/receiver. For example, at AppDynamics, Events and Logs have some differences in their processing pipelines in the backend. Events are relatively limited in number and are produced by sources creating events of a certain importance, whereas Logs are far large in volume with good amount of noise in them. As an example, Kubernetes Events are (or, can be) Events and Kubernetes Pod logs, by default, are Logs. What should Go Structured Logs map to in OpenTelemetry? IMO, they should remain as Logs as they are used produced by applications for the general purpose of troubleshooting and are likely to contain a good amount of noise. There was a problem hiding this comment.
I don't think that this distinction makes a difference from the data model or API perspective. The same could be said about different log severity levels. The important point, AFAICT, is that it needs to be possible for a processor of log records to identify records that satisfy some criteria to direct them for separate processing. That is separate and distinct from how we refer to the concepts of "opaque bucket of bits" log records and "structured and schema-validatable" log records. |
||
|
|
||
| **I have non-OpenTelemetry data source that produces events that have a `name` and | ||
| `category`. The semantics of the `name` and `category` in this data source are exactly the | ||
| same as `event.name` and `event.domain` at OpenTelemetry. What should I do when I bring | ||
| these events to OpenTelemetry?** | ||
|
|
||
| If there is an exact match in the semantics then it is reasonable to map them to | ||
| OpenTelemetry's concepts. So, when the events from the external data source are converted | ||
| to OpenTelemetry LogRecords (for example in OpenTelemetry Collector) it is reasonable | ||
| to shape them like OpenTelemetry Events. In the given example it is reasonable to map | ||
| the `name` field from the data source to `event.name` and the `category` field to | ||
| `event.domain`. | ||
|
There was a problem hiding this comment. It is very unlikely that There was a problem hiding this comment. Here are the two things we brought up on the SIG making their way into this document.
/cc @alanwest |
||
|
|
||
| **I am designing a new library/application/system and want to produce structured logs/events | ||
| using OpenTelemetry. Should my events be shaped like OpenTelemetry Events?** | ||
|
|
||
| Yes. For new designs we recommend to shape your data like OpenTelemetry Events. | ||
| Make sure to choose a good descriptive value for `event.domain`. If the domain is common | ||
| enough consider adding it as a well-known domain name in OpenTelemetry's [semantic conventions]( | ||
| https://github.com/open-telemetry/opentelemetry-specification/blob/main/specification/logs/semantic_conventions/events.md) | ||
| for `event.domain` attribute. | ||
|
|
||
| ## Legacy and Modern Log Sources | ||
|
|
||
|
|
||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Just to elaborate a bit on my thoughts in the SIG meeting today...
What we framed things this way:
"OpenTelemetry provides a generic way to define additional signal types. These signals are modeled as a type of LogRecord with specific characteristics...."
Then instead of
event.domainandevent.namewe usesignal.typeandsignal.name.Examples include
signal.typesignal.nameAdditionally, thinking of things in this way alleviates any need to discuss span events in the scope of this conversation. To me span events are still just simply something that happened during the course of a span at a particular point in time. That is, a span event is not some notion of a nested signal type.