Dash0 Acquires Lumigo to Expand Agentic Observability Across AWS and Serverless

Last updated: February 13, 2026

Traces vs Logs for Debugging Distributed Systems

Logs and traces provide you two different perspectives on system behavior.

Logs record that something happened at a particular moment inside a particular process. They're like individual diary entries that capture local context, errors, state, and internal decisions within a service.

On the other hand, traces are structured hierarchical workflows that follow a single request as it moves across service boundaries, from the edge of your system all the way to downstream dependencies. Instead of isolated events, you get a connected graph that shows which component called which, in what order, and how long each step took.

One tells you what happened inside a service. The other shows you how various services and their dependencies interacted together to produce a result.

The objective of this article is not to debate which one is more important. It's to help you understand the strengths and limitations of each, and guide their usage in a way that gives you clarity during incidents instead of confusion.

Logs describe what happened at a moment in time

A log is a deliberate record of something your code chose to surface. It captures an event at a precise instant inside a running process. That event could be a request beginning, an external call failing, a background task finishing, or a validation rule rejecting input.

The key point is that a log only exists because someone decided that this state of the application was worth recording. But what makes logs powerful is not the fact that they exist, but what you put into them.

A log entry can include identifiers, configuration values, payload details, error codes, or stack traces. The richer and more intentional that context is, the more useful the log becomes later.

When you are troubleshooting, logs help you answer practical questions:

  • What did the code actually execute?
  • What data did it receive?
  • Which path did it follow?
  • What outcome did it produce?

They provide insight into the internal behavior of your application at a level that other signals scarcely capture.

In the not too distant past, application logging meant writing plain text lines to a log file:

text
1
2026-02-12 10:00:00 ERROR Product Id Lookup Failed: OLJCESPC7Z

This worked fine when applications were small and ran on a single machine. You could SSH into a server, open a log file, and scroll until you found something interesting.

In modern distributed systems where dozens or hundreds of services, are each writing thousands of log lines per second, that approach breaks down quickly. Free-form text quickly turns into noise, and extracting meaning often depends on brittle string searches and ad hoc parsing.

This is why structured logging has become the standard. Instead of writing a sentence that a human must read and interpret, you emit machine-readable fields (usually in JSON format) that can be queried directly:

json
123456789
{
  "timestamp": "2026-02-12T10:00:00Z",
  "level": "ERROR",
  "service": "payment-service",
  "message": "Payment failed",
  "user_id": 123,
  "error_code": "insufficient_funds",
  "amount": 99.99
}

When ingested by an observability platform, you can filter, aggregate, and query logs with precision instead of relying on fragile keyword searches or complex regular expressions.

This shift from unstructured text to structured events is one of the most important operational improvements in modern systems. It's what transforms logging from a legacy debugging artifact into a first-class signal for observability.

And that's exactly what you need when things go wrong in distributed systems running across ephemeral infrastructure, where context disappears quickly and accurate diagnosis determines how fast you recover.

When logs are the right tool

Logs shine when you need precise, contextual detail. If you need to see the exact input that triggered a failure, the full error message returned by a dependency, or the internal state of your application at a given moment, logs are usually the most direct and reliable source of truth.

Another major strength of logs is their ability to handle high-cardinality data. Recording order IDs, email addresses, transaction hashes, or session tokens is perfectly reasonable in logs. Each entry can safely carry unique identifiers without destabilizing your storage model.

Metrics systems, on the other hand, are optimized for aggregation. Attaching a unique user ID or request ID as a metric label can create an explosion of time series, dramatically increasing storage and query costs. Logs don't have that limitation, which makes them a natural home for request-scoped and user-scoped identifiers.

Logs also extend far beyond day-to-day debugging. They form the backbone of audit trails that record who performed which action and when. Because they provide a durable, chronological account of activity across your system, they are essential for security investigations, compliance requirements, and post-incident reviews.

In short, logs are where detail, accountability, and historical recordkeeping come together.

Where logs fall short

The primary limitation of logs is scope. A log entry tells you what happened inside a single process at a specific moment, but it does not inherently show how that event relates to upstream requests, downstream dependencies, or other work happening concurrently across your system.

In a distributed architecture, one user request might traverse an API gateway, an authentication service, a billing service, a database, and a message queue. When something fails, you are left piecing together fragments from multiple services to determine what actually happened.

That might be manageable at a small scale, but when your system processes thousands of requests per second, using logs alone to reconstruct what happened quickly turns into a manual, error-prone, and time consuming exercise.

To improve this, many teams adopted correlation IDs. The approach was straightforward: generate a unique identifier at the edge of the system and attach it to every log entry produced during that request.

This helped isolate related events, but it introduced operational friction. Every service had to propagate the ID correctly and every log statement needed to include it. If a single link in the chain failed, the context was lost.

Even when everything worked, the output remained a flat list of log entries. You could filter by ID, but you still could not see explicit parent-child relationships or clearly understand how time was distributed across services.

When you need to understand causality, latency distribution, and the origin of a failure within a request chain, you need more than grouped log lines. You need a model that represents relationships directly.

That's where distributed tracing comes in.

Traces describe how a request actually moved through your system

A trace is a Directed Acyclic Graph (DAG) that represents the lifecycle of a single request. Where logs record isolated events, traces models how operations are connected and presents a timeline that tells a coherent story.

Each operation within a trace is called a span. A span might represent an incoming HTTP request, a call to another service, a database query, or even a function execution inside your code. Every span has a start time, an end time, a unique identifier, and metadata that describes what happened during that operation.

Now imagine a request entering your API gateway. It calls a payment service. That service queries a database and checks a cache. Each of those steps becomes a span in the same trace. What you get is not just a sequence of events, but a connected execution graph that reflects how your system actually behaved.

Every trace includes:

  • A trace ID that remains constant from the first service to the last.
  • Multiple spans, each with its own span ID, timing information, and metadata.
  • Parent-child relationships that establish causality between operations.

If Service A calls Service B, the span created by Service B records the span ID of Service A as its parent. That relationship is what allows observability tools to reconstruct the full execution path.

The result is often visualized as a waterfall diagram where you can immediately see which service called which dependency, how long each step took, and where errors or latency originated.

For distributed tracing to work, the trace ID must travel across service boundaries. This is typically done through standardized protocol headers, such as the W3C Trace Context header, which carries the trace ID and parent span ID with each request:

text
12345
traceparent: 00-4bf92f3577b34da6a3ce929d0e0e4736-00f067aa0ba902b7-01
             |  |                                |                |- trace-flags
             |  |                                |- parent-id (span ID)
             |- trace-id
             |- version

Instrumented services extract that context, create new child spans, and propagate the context downstream. If context propagation breaks at any point, the trace fragments into disconnected pieces.

In other words, traces show you how everything was connected and how the request actually moved through your system.

Why this matters in practice

Consider a checkout endpoint that suddenly starts returning a wave of 500 errors. Your metrics dashboard shows the spike immediately: the error rate climbs, alerts fire, and you know something is wrong.

When you check the logs, each service involved in the checkout flow appears to be reporting its own error. The API layer logs a 500, the payment service logs a timeout and the database layer logs a connection failure. Every component looks broken, but it's unclear which one failed first and which ones are simply reacting.

Inspecting the trace for a failed request is what finally brings that clarity. You'll see the full execution path laid out in order as well as the exact origin of the failure in the timeline. Every other error in upstream services is simply a consequence of that initial failure.

That's the difference between piecing together error messages and identifying the root cause, and it's why traces are particularly strong for:

  • Identifying the true origin of failures in distributed systems.
  • Understanding how requests propagate across services.
  • Spotting the slowest or most fragile components in a call chain.
  • Separating root causes from downstream symptoms.

Traces give you a structured view of failure, which is exactly what you need when multiple services are reporting errors at the same time. That clarity is what helps you quickly regain control of the situation.

Why you cannot trace everything (usually)

Traces are optimized to model relationships and timing across service boundaries. They're excellent at showing causality and latency, but they're not designed to capture every internal detail of an operation.

While its technically possible to record every internal variable, every branch decision, and every intermediate state through span attributes and span events, your traces will quickly become expensive from both a performance and storage perspective.

That's why most production systems use sampling where only a percentage of traces are retained. For example, you might keep 100 percent of error traces, but only one percent of successful ones.

While this dramatically reduces storage and processing costs, it also means that traces are not a guaranteed historical record. If a request was not sampled, its trace will simply not exist.

When to use span events and when to use logs

A span event is a structured annotation attached to a specific span. It marks a meaningful moment during an operation and carries structured attributes. Unlike logs, it is anchored directly inside the trace hierarchy.

JavaScript
123456789101112
// Traditional log instrumentation
logger.info("Payment gateway responded", {
  "http.response.status_code": 200,
  latency_ms: 45,
});


// Span event
span.addEvent("payment_gateway_response", {
  "http.reponse.status_code": 200,
  "response.latency_ms": 45,
  "gateway.provider": "stripe",
});

Both instrumentations above capture the same information. The difference is that the span event is inherently tied to its enclosing span and trace, while the log entry exists independently and must be explicitly correlated through trace and span IDs to connect it to the broader request flow.

The choice between span events and logs comes down to whether the information makes sense on its own or only within the context of a traced operation.

For example, span events should be used when the information is tightly coupled to a request, such as:

  • Checkpoints within an operation that do dont require their own spans.
  • Performance markers where timing relative to the parent span matters
  • Errors and exceptions that occurred during a traced operation
  • Annotations that only make sense within the trace context.

On the other hand, logs should be used for recording events that may exist independently of any trace:

  • System-level events that aren't tied to any specific request.
  • Background jobs and scheduled tasks that may not have an active trace context.
  • Debug-level details that are too verbose for standard trace instrumentation.
  • Anything that must survive trace sampling decisions (such as audit records).

This distinction is critical with trace sampling enabled. If you're only retaining 10% of traces to manage cost, span events on unsampled traces will be dropped. In contrast, logs will usually persist regardless of sampling.

Capturing logs and traces in practice

What determines the usefulnesss of your logs and traces in practice is how they get captured, how much context they carry, and how consistent the instrumentation is across services.

For logs, there is no shortcut—you have to write them. That means choosing a structured logging library, emitting JSON, and adding relevant contextual fields. Logs reflect what your code chooses to reveal so if you don't log it, it won't exist later during an incident.

Tracing gives you more options. You can instrument spans manually, just like logs, by wrapping important operations and attaching attributes or span events. That's how you capture domain-specific decisions and annotate critical execution paths.

You can also rely on auto-instrumentation at the application level or kernel-level (via eBPF) to capture common operations such as HTTP requests, database calls, message queue interactions, and RPC boundaries with minimal setup. This gives you visibility into broad request flows and latency without source code modifications.

The goal is not to capture everything; it's to capture enough of the right things so that when production breaks, you can move from signal to root cause without guesswork.

Correlating logs and traces

Achieving observability is not about choosing between logs, traces, or metrics. It's about using each signal to provide complementary perspectives to get a holistic view of what's happening and move quickly toward a solution.

On their own, each signal leaves gaps: metrics lack sufficient context, traces are usually sampled, and logs lack structural relationships. When you correlate them, those gaps start to close.

Correlation traces and logs involves automatically attaching a trace ID and span ID to every log record emitted during a request:

json
12345678910
{
  "timestamp": "2026-02-12T14:23:45Z",
  "level": "ERROR",
  "message": "Payment declined: insufficient funds",
  "service": "payment-service",
  "trace_id": "abc123456789abcdef0123456789abcd",
  "span_id": "def456789abcdef0",
  "user_id": "user-42",
  "amount": 99.99
}

Once this context is injected automatically, logs begin to behave very much like span events. They are no longer isolated records that require manual filtering, but become anchored to a specific span and trace.

In your observability tool, you can select a span and immediately see all logs emitted during that operation. Or you can begin with an interesting log entry and jump directly to the full distributed trace for that request to see what happened before and after.

From a workflow perspective, correlated logs and span events start to feel identical. The difference span events only exist if the trace is sampled and retained, while logs can be emitted independently and only correlated with spans if there's an active trace context.

In most cases, you don't need to wire this up manually. Although the exact setup differs by language and framework, OpenTelemetry provides the instrumentation needed to create spans, propagate trace context across service boundaries, and automatically inject that context into log records.

Once your telemetry is connected in this way, you stop jumping between isolated signals and guessing how they relate. Instead, you'll move through linked data with intent until the root cause becomes clear.

That is the shift required to go from just collecting telemetry to practicing observability.

Final thoughts

Logs and traces are not competing tools; they are complementary views of the same reality.

If you want faster incident response, clearer performance analysis, and less guesswork during outages, the focus should be on using each signal for what it does best and unifying them rather than debating which one matters more.

Dash0 is designed to unify logs, traces, and metrics into a single, connected experience, built natively on OpenTelemetry. Rather than treating each signal as a separate pillar, Dash0 allows you to move between them seamlessly, from a metric spike to a representative trace, and from a specific span directly to the logs emitted during that operation.

Start your free 14 day trial and see how much faster you can move from alert to root cause with OpenTelemetry-native observability.

Authors
Ayooluwa Isaiah
Ayooluwa Isaiah
Previous

Rails Log Levels Explained and How to Use Them

Next

W3C Trace Context Explained: Traceparent & Tracestate