"Three hours. That's how long it took to find the bug."
The on-call engineer stared at a wall of text in their terminal. Somewhere in a 50,000-line log file from last night's production incident was the answer. They knew it. The problem was finding it before the next pager alert fired.
The root cause? A single line of code that logged "User authenticated successfully" when it should have logged "Token refresh failed, falling back to session auth". Both messages passed code review. Both looked reasonable in isolation. Only one told the truth.
This is the fundamental failure of unstructured logging. It's writing for humans in the moment, not for systems that need to search, filter, and correlate across millions of events. And as your codebase grows from a prototype to a production system serving real money, the difference between print() and structured logging becomes the difference between debugging in three hours and debugging in three minutes.
This article walks through the evolution of logging practices in Python applications — from naive print() statements through Python's built-in logging module, and finally to structlog, which represents the current best practice for production observability. We'll cover why structured logging matters, how to implement it correctly, and how to integrate it with the ELK stack (Elasticsearch, Logstash, Kibana) for real operational leverage.
The Problem with Unstructured Logs
Before we solve the problem, we need to understand why print() fails at scale.
Consider this logging pattern from a typical Python script:
def process_order(order_id, user_id, amount):
logger.info(f"Processing order {order_id} for user {user_id}, amount: {amount}")
# ... processing logic ...
logger.info(f"Order {order_id} completed successfully")
On the surface, this looks fine. You can grep for order_id and find relevant lines. But consider what happens when you need to answer these questions:
- How many orders exceeded $10,000 yesterday?
- What was the average processing time for orders in the "pending" state?
- Which users had more than 5 failed orders in a single day?
With unstructured logs, these queries require regex parsing, fragile string matching, and constant maintenance. When a new engineer joins the team, they write their own log format, and suddenly you have 47 different ways to log the same event, none of them consistent.
The deeper problem is context loss. A print() statement logs a message. It doesn't log the environment that produced the message. You can't easily answer "what was the request ID?" or "what was the user's session state?" because that context was never captured in a structured way.
Python's Built-in logging: The Baseline
Python's standard library includes the logging module, which represents the minimum viable improvement over print(). It introduces log levels, basic formatting, and handlers — a meaningful step forward.
Here's a typical configuration:
import logging
import sys
# Configure basic logging
logging.basicConfig(
level=logging.INFO,
format="%(asctime)s | %(levelname)s | %(name)s | %(message)s",
handlers=[logging.StreamHandler(sys.stdout)]
)
logger = logging.getLogger(__name__)
def process_payment(order_id: str, amount: float):
logger.info(f"Processing payment for order {order_id}", extra={"amount": amount})
try:
# Payment logic here
logger.info(f"Payment completed for order {order_id}")
except PaymentError as e:
logger.error(f"Payment failed for order {order_id}", extra={"error": str(e)})
This approach has genuine improvements:
- Log levels allow filtering by severity (DEBUG, INFO, WARNING, ERROR, CRITICAL)
- Named loggers (
__name__) allow namespacing by module - Extra fields enable basic structured data injection
However, Python's built-in logging module has significant limitations for modern observability needs:
- Output format is rigid: The
extradictionary data gets bundled into the message string, not separated as key-value pairs. - No context propagation: Child loggers don't automatically inherit parent context.
- JSON output requires third-party libraries: There's no native way to emit JSON logs, which ELK and other log aggregation systems prefer.
- Performance overhead: The standard formatter is relatively slow for high-throughput applications.
For a personal project or a small microservice processing a few dozen requests per second, this approach works. But as your system scales — multiple services, thousands of requests per second, complex debugging requirements — you need something more powerful.
Introducing structlog: Structured Logging Done Right
structlog is a Python library that reimagines logging from the ground up for the observability era. It was designed with three principles that address every weakness in Python's built-in logging:
- Structured by default: Every log entry is a dictionary, not a formatted string.
- Contextual by design: Context (request ID, user ID, correlation ID) flows automatically through the call stack.
- Output-agnostic: You can render logs as plain text, JSON, or any other format without changing your logging calls.
Installation and Basic Setup
Install structlog with:
pip install structlog
A minimal production configuration looks like this:
import structlog
import logging
import sys
# Configure the standard library logger to warning-only (reduce noise)
logging.basicConfig(
format="%(message)s",
stream=sys.stderr,
level=logging.WARNING,
)
# Configure structlog
structlog.configure(
processors=[
structlog.stdlib.filter_by_level,
structlog.stdlib.add_logger_name,
structlog.stdlib.add_log_level,
structlog.stdlib.PositionalArgumentsFormatter(),
structlog.processors.TimeStamper(fmt="iso"),
structlog.processors.StackInfoRenderer(),
structlog.processors.format_exc_info,
structlog.processors.UnicodeDecoder(),
structlog.processors.JSONRenderer() # Output as JSON
],
wrapper_class=structlog.stdlib.BoundLogger,
context_class=dict,
logger_factory=structlog.stdlib.LoggerFactory(),
cache_logger_on_first_use=True,
)
# Create a logger
log = structlog.get_logger()
With this configuration, calling log.info("order_processed", order_id="ORD-123", user_id="USR-456", amount=150.00) produces:
{"event": "order_processed", "order_id": "ORD-123", "user_id": "USR-456", "amount": 150.0, "timestamp": "2026-04-14T09:15:32.123456Z"}
This is the foundation of production-ready logging. Every field is a first-class citizen, queryable by your log aggregation system.
Contextual Logging: The Secret Weapon
The feature that transforms logging from "事后 analysis" (after-the-fact analysis) to "实时可观测性" (real-time observability) is contextual logging. This is where structlog genuinely shines.
In a complex application, a single user request might flow through 20 different functions across 5 different modules. Without contextual logging, each function logs independently, and correlating the logs requires manual grep work. With structlog's bound loggers, context flows automatically.
Here's how it works:
import structlog
log = structlog.get_logger()
def process_order(order_id: str, user_id: str, amount: float):
# Bind initial context
log = log.bind(order_id=order_id, user_id=user_id)
log.info("Starting order processing", amount=amount)
# Call internal functions — they inherit context automatically
payment_result = process_payment(log, amount)
if payment_result.success:
fulfillment_result = fulfill_order(log, order_id)
log.info("Order completed", fulfillment_id=fulfillment_result.id)
else:
log.error("Order failed", reason=payment_result.error_code)
def process_payment(logger, amount: float):
# No need to rebind order_id — it's already in the logger
logger = logger.bind(stage="payment_processing")
logger.debug("Initiating payment", amount=amount)
# ... payment logic ...
logger.debug("Payment gateway response", gateway=gateway_name, status=status)
return PaymentResult(success=True, id="PAY-789")
def fulfill_order(logger, order_id: str):
logger = logger.bind(stage="fulfillment")
logger.info("Fulfillment initiated")
# ... fulfillment logic ...
return FulfillmentResult(id="FUL-101")
With this pattern, every log entry from this order includes order_id and user_id without explicitly passing them to every function. The bound logger carries context through the call stack.
The output for the sequence above looks like:
{"event": "Starting order processing", "order_id": "ORD-123", "user_id": "USR-456", "amount": 150.0, "timestamp": "2026-04-14T09:15:32.123456Z"}
{"event": "Initiating payment", "order_id": "ORD-123", "user_id": "USR-456", "stage": "payment_processing", "amount": 150.0, "timestamp": "2026-04-14T09:15:32.234567Z"}
{"event": "Payment gateway response", "order_id": "ORD-123", "user_id": "USR-456", "stage": "payment_processing", "gateway": "stripe", "status": "success", "timestamp": "2026-04-14T09:15:32.345678Z"}
{"event": "Fulfillment initiated", "order_id": "ORD-123", "user_id": "USR-456", "stage": "fulfillment", "timestamp": "2026-04-14T09:15:32.456789Z"}
{"event": "Order completed", "order_id": "ORD-123", "user_id": "USR-456", "fulfillment_id": "FUL-101", "timestamp": "2026-04-14T09:15:32.567890Z"}
Now, querying in Elasticsearch for all logs from a specific order is a simple order_id: "ORD-123". No regex, no fragile string parsing.
Structured Exception Handling
Exceptions are where logging quality matters most — and where unstructured logs fail most catastrophically. A stack trace in a plain text log is nearly impossible to search programmatically. Structlog handles exceptions with proper structured context:
import structlog
log = structlog.get_logger()
def risky_operation(user_id: str):
logger = log.bind(user_id=user_id)
try:
result = external_api_call(user_id)
logger.info("External API call succeeded", response_time_ms=result.latency)
return result.data
except APIRateLimitError as e:
# Structured exception logging
logger.warning(
"Rate limit hit during API call",
retry_after=e.retry_after,
current_count=e.current_count,
limit=e.limit
)
# Handle gracefully — this isn't a failure, just a slowdown
time.sleep(e.retry_after)
return retry_operation(logger, user_id)
except APIServerError as e:
# Critical error with full context
logger.error(
"External API call failed",
endpoint=e.endpoint,
status_code=e.status_code,
response_body=e.response_body,
attempt=1 # Will be incremented on retry
)
raise # Re-raise after logging for upstream handling
def retry_operation(logger, attempt: int = 1):
logger = logger.bind(attempt=attempt)
try:
return external_api_call(user_id)
except Exception as e:
if attempt < 3:
logger.warning("Retrying after failure", next_attempt=attempt + 1)
return retry_operation(logger, attempt + 1)
else:
logger.error("All retry attempts exhausted")
raise
The key insight here: every exception gets logged with its relevant context fields. A APIRateLimitError gets retry_after, current_count, and limit. A APIServerError gets endpoint, status_code, and the response body (for debugging). This transforms a cryptic stack trace into a queryable event with all the debugging context you need.
Integration with ELK Stack
The ELK stack (Elasticsearch, Logstash, Kibana) is the industry standard for log aggregation and analysis. Structlog's JSON output integrates naturally with this ecosystem.
Configuring JSON Output for ELK
Here's a production configuration optimized for ELK ingestion:
import structlog
import logging
import sys
import json
from typing import Any
class JsonEncoder(json.JSONEncoder):
"""Handle non-serializable objects in JSON output."""
def default(self, obj: Any) -> Any:
if hasattr(obj, "__dict__"):
return {"type": type(obj).__name__, **obj.__dict__}
if isinstance(obj, (datetime, date)):
return obj.isoformat()
if isinstance(obj, bytes):
return obj.decode("utf-8", errors="replace")
return str(obj)
def setup_logging(service_name: str, log_level: str = "INFO"):
"""Production logging configuration for ELK integration."""
# Configure standard library logging
logging.basicConfig(
format="%(message)s",
stream=sys.stdout,
level=getattr(logging, log_level.upper()),
)
# Custom JSON renderer with ELK-optimized fields
def json_renderer(logger, method_name, event_dict):
"""Render log entries as JSON with ELK-friendly structure."""
# Flatten nested structures for better Elasticsearch indexing
event = event_dict.pop("event", "")
# Add standard ELK fields
elk_event = {
"@timestamp": event_dict.pop("timestamp", None),
"log.level": event_dict.pop("level", method_name),
"service.name": service_name,
"message": event,
# Flatten all remaining fields
**flatten_dict(event_dict)
}
# Remove None values
elk_event = {k: v for k, v in elk_event.items() if v is not None}
return json.dumps(elk_event, cls=JsonEncoder)
def flatten_dict(d: dict, parent_key: str = "", sep: str = "_") -> dict:
"""Flatten nested dictionaries for ELK indexing."""
items = []
for k, v in d.items():
new_key = f"{parent_key}{sep}{k}" if parent_key else k
if isinstance(v, dict):
items.extend(flatten_dict(v, new_key, sep=sep).items())
else:
items.append((new_key, v))
return dict(items)
structlog.configure(
processors=[
structlog.stdlib.filter_by_level,
structlog.stdlib.add_logger_name,
structlib.stdlib.add_log_level,
structlog.processors.TimeStamper(fmt="iso"),
structlog.processors.StackInfoRenderer(),
structlog.processors.format_exc_info,
json_renderer,
],
wrapper_class=structlog.stdlib.BoundLogger,
context_class=dict,
logger_factory=structlog.stdlib.LoggerFactory(),
cache_logger_on_first_use=True,
)
Logstash Configuration for Structlog JSON
Your Logstash configuration needs to parse the JSON output:
input {
file {
path => "/var/log/app/*.log"
codec => json
type => "application"
}
# Also support direct TCP input from applications
tcp {
port => 5044
codec => json_lines
}
}
filter {
if [type] == "application" {
# Parse timestamp
date {
match => ["@timestamp", "ISO8601"]
target => "@timestamp"
}
# Add service metadata
mutate {
add_field => {
"environment" => "${ENVIRONMENT:unknown}"
"version" => "${APP_VERSION:unknown}"
}
}
# Extract specific fields for better querying
if [order_id] {
mutate {
add_tag => ["has_order_id"]
}
}
# Tag errors for alerting
if [log.level] == "error" or [log.level] == "critical" {
mutate {
add_tag => ["error"]
}
}
}
}
output {
elasticsearch {
hosts => ["elasticsearch:9200"]
index => "app-logs-%{+YYYY.MM.dd}"
}
}
Kibana Queries for Common Operations
With structured logs in Elasticsearch, you can answer operational questions in seconds:
Find all logs for a specific order:
order_id: "ORD-123"
Find all errors in the last hour:
log.level: error AND @timestamp: [now-1h TO now]
Find rate-limited API calls:
message: "Rate limit hit" AND retry_after: >30
Analyze response time by endpoint:
message: "API call succeeded" | stats avg(response_time_ms) by endpoint
Find users with multiple failures:
message: "Order failed" | stats count() by user_id | where count > 5
Advanced Patterns: Context Variables and Dependency Injection
For larger applications, especially those using dependency injection frameworks, structlog supports context variables — a thread-safe way to store context that doesn't require explicit passing:
import structlog
from contextvars import ContextVar
# Thread-safe context storage
request_context: ContextVar[dict] = ContextVar("request_context", default={})
def bind_request_context(request_id: str, user_id: str, **kwargs):
"""Bind context at request entry point."""
ctx = {"request_id": request_id, "user_id": user_id, **kwargs}
request_context.set(ctx)
return ctx
def get_context_logger():
"""Get a logger with all bound context."""
log = structlog.get_logger()
ctx = request_context.get()
if ctx:
log = log.bind(**ctx)
return log
# Usage in Flask/Django middleware
def request_middleware(get_response):
def middleware(request):
request_id = request.headers.get("X-Request-ID", generate_uuid())
user_id = request.user.id if hasattr(request, "user") else "anonymous"
bind_request_context(request_id=request_id, user_id=user_id)
logger = get_context_logger()
logger.info(
"Request started",
method=request.method,
path=request.path,
client_ip=request.remote_addr
)
response = get_response(request)
logger.info(
"Request completed",
status_code=response.status_code,
duration_ms=elapsed_ms()
)
return response
return middleware
# Usage in business logic — no need to pass context
def process_payment(amount: float):
logger = get_context_logger() # Automatically gets request_id, user_id
logger.info("Processing payment", amount=amount)
# ...
This pattern is particularly powerful in web frameworks where a single request flows through many functions. The context is bound once at the entry point and automatically available everywhere.
Performance Considerations
Structured logging introduces computational overhead — JSON serialization, dictionary manipulation, and additional processors all take CPU cycles. For high-throughput applications (thousands of log entries per second), consider these optimizations:
1. Lazy Evaluation with Log Messages
Structlog supports lazy evaluation, which prevents expensive string formatting in disabled log levels:
# Instead of:
log.info("Processing order", expensive_calculation=get_expensive_value())
# Use:
log.info("Processing order", expensive_calculation=lambda: get_expensive_value())
The lambda is only called if the log level is enabled.
2. Async Logging for I/O-Bound Applications
For applications where logging I/O is a bottleneck:
import logging
import queue
import threading
class AsyncLogHandler(logging.Handler):
"""Async handler that batches log writes."""
def __init__(self, capacity: int = 1000):
super().__init__()
self.queue = queue.Queue(maxsize=capacity)
self.writer_thread = threading.Thread(target=self._writer, daemon=True)
self.writer_thread.start()
def emit(self, record):
try:
self.queue.put_nowait(record)
except queue.Full:
pass # Drop if queue is full (under extreme load)
def _writer(self):
while True:
batch = []
while len(batch) < 100:
try:
batch.append(self.queue.get(timeout=0.1))
except queue.Empty:
break
if batch:
self._write_batch(batch)
def _write_batch(self, batch):
# Batch write to reduce I/O overhead
pass
3. Sampling for High-Volume Logs
For debug-level logging in production, sample to reduce volume while maintaining statistical coverage:
import random
import structlog
class SamplingWrapper:
"""Wrap a logger to sample debug messages."""
def __init__(self, logger, sample_rate: float = 0.01):
self.logger = logger
self.sample_rate = sample_rate
def info(self, msg, **kwargs):
self.logger.info(msg, **kwargs)
def debug(self, msg, **kwargs):
if random.random() < self.sample_rate:
self.logger.debug(msg, **kwargs)
Building a Production Logging Library
For teams maintaining multiple services, a shared logging library enforces consistency and reduces per-service configuration overhead:
# shared_logging/__init__.py
"""
Shared logging configuration for all microservices.
"""
import structlog
import logging
import os
from typing import Optional
def configure_logging(
service_name: str,
log_level: Optional[str] = None,
json_output: bool = True,
include_stack_trace: bool = True
) -> structlog.BoundLogger:
"""
Configure structured logging for a microservice.
Args:
service_name: Name of the service (used in log entries)
log_level: Override log level from environment
json_output: Output JSON instead of plain text
include_stack_trace: Include stack traces in error logs
"""
level = log_level or os.getenv("LOG_LEVEL", "INFO")
logging.basicConfig(
format="%(message)s",
stream=logging.stdout,
level=getattr(logging, level.upper()),
)
processors = [
structlog.stdlib.filter_by_level,
structlog.stdlib.add_logger_name,
structlog.stdlib.add_log_level,
structlog.processors.TimeStamper(fmt="iso"),
structlog.processors.StackInfoRenderer() if include_stack_trace else structlog.processors.DictRenderer(),
]
if json_output:
processors.append(structlog.processors.JSONRenderer())
else:
processors.append(structlog.dev.ConsoleRenderer(colors=True))
structlog.configure(
processors=processors,
wrapper_class=structlog.stdlib.BoundLogger,
context_class=dict,
logger_factory=structlog.stdlib.LoggerFactory(),
cache_logger_on_first_use=True,
)
log = structlog.get_logger(service=service_name)
log.info(
"Logging configured",
service=service_name,
log_level=level,
json_output=json_output
)
return log
# Usage in any service:
# from shared_logging import configure_logging
# log = configure_logging("payment-service")
The Observability Revolution
Structured logging is not merely a technical improvement — it's a shift in how you think about application behavior. When every log entry is a structured data point, your logs become a queryable data source that rivals your database in analytical value.
Consider the questions you can answer with structured logs that were impossible with print():
- What's the p99 latency for each endpoint by time of day?
- Which users are hitting rate limits most frequently?
- What's the failure rate for each dependency service?
- Where is time spent in the request lifecycle?
These aren't "nice to have" insights. They're the operational intelligence that separates teams that respond to incidents in minutes from teams that scramble for hours.
The transition from print() to structlog is not a luxury reserved for FAANG engineering teams. It's a practical, well-documented, and increasingly standard practice that any Python team can adopt today. Start with the basic configuration, bind context in your request handlers, and output JSON. Your future self — debugging an incident at 3 AM — will be grateful.
The question isn't whether structured logging is worth implementing. It's whether you can afford to keep debugging with print() statements when structured logging is one pip install away.
Summary
| Practice | Tool | Best For |
|---|---|---|
| Rapid prototyping | print() |
Quick debugging, one-off scripts |
| Basic production | Python logging |
Simple services, low-volume applications |
| Full observability | structlog + ELK |
Production systems, microservices, distributed architectures |
The logging practices that seemed sufficient for a prototype will fail you in production. Invest the time to implement structured logging correctly, and you'll reduce incident resolution time by an order of magnitude. Your on-call engineers — and your future self — will thank you.
This article does not constitute investment advice. Markets involve risk; past performance does not guarantee future results.