What each pillar answers and when to use it

• Logs — What happened? — Structured event records capturing discrete events. Best format: JSON with consistent fields (timestamp, level, service, trace_id, user_id, message). Tools: CloudWatch Logs, Loki, Elasticsearch/OpenSearch. Structured logs enable filtering by user_id=4421 to find all events for a specific user during an incident.
• Metrics — How is it performing? — Numerical time-series data. Counters (request count), gauges (memory usage, connection pool size), histograms (request latency distribution). Tools: Prometheus + Grafana, Datadog, CloudWatch Metrics. Metrics tell you "P99 latency is 340ms and rising" — great for alerting and trend analysis.
• Traces — Where did time go? — A distributed trace follows a single request as it travels through multiple services. Each service adds a "span" — a timed segment of work with metadata. The trace shows the full waterfall: API Gateway (5ms) → Auth Service (8ms) → Product Service (320ms — this is your bottleneck) → Database (310ms of that). Tools: Jaeger, Zipkin, AWS X-Ray, Datadog APM.

The reliability vocabulary

• SLI (Service Level Indicator) — A specific measurable metric about your service. "The fraction of requests that returned a successful response (2xx) in under 500ms over the past 24 hours." SLIs are ratios, not absolutes.
• SLO (Service Level Objective) — Your reliability target for an SLI. "99.9% of requests should return a 2xx response in under 500ms." This is an internal goal — not a promise to customers (that is an SLA).
• Error budget — The allowed failure quota derived from your SLO. At 99.9% SLO over 30 days, your error budget = 0.1% × 30 × 24 × 60 = 43.2 minutes of downtime. If you spend it all, engineering velocity is paused until the budget resets.
• SLA (Service Level Agreement) — A contractual promise to customers with financial penalties for violations. SLAs are always looser than SLOs — you keep internal targets higher than what you promise externally.

Principles for effective alerting

• Alert on symptoms, not causes — "API error rate > 5%" is a symptom alert — something is wrong for users. "CPU > 80%" is a cause alert — might not be causing user impact. Alert on what users experience; diagnose causes in runbooks.
• Alert on SLO burn rate, not thresholds — Instead of "error rate > 1%", alert on "current error rate will exhaust the monthly error budget within X hours at this burn rate." This makes alerts actionable (budget-proportional urgency) and reduces false positives.
• Every alert must have a runbook — If there is no runbook, the on-call engineer cannot resolve it — they will just escalate. If the resolution is always the same, automate it. Alerts with runbooks that say "restart the service" should be automated remediations.
• Reduce alert fatigue with multi-window burn rate — Alert when the short window (1h) burn rate AND the long window (6h) burn rate both exceed threshold. Short window catches sudden failures, long window catches slow burns. This dramatically reduces false positives.