Log Aggregation System

Interview-Ready Approach

1) Clarify Scope and SLOs

• •Problem statement: Design a centralized logging system (like Datadog Logs) that ingests, indexes, and searches 1 TB of logs per day.
• •Design for a peak load target around 80,000 RPS (including burst headroom).
• •Log volume/day: ~1 TB
• •Log entries/day: ~5,000,000,000
• •Services: ~200
• •Search latency (7-day range): < 3 seconds
• •Live tail latency: < 2 seconds

2) Capacity Planning Method

• •Convert traffic and growth constraints into request rate, storage growth, and concurrency budgets.
• •Keep at least 2-3x safety margin per tier (ingress, compute, storage, async workers).
• •Reserve explicit latency budgets per hop so p95 can be defended in review.

3) Architecture Decisions

• •Databases: Define a clear system-of-record and design read/write paths separately before adding optimizations.
• •Message Queues: Move non-blocking and retry-heavy work to async consumers with explicit retry and DLQ policies.
• •Storage: Use object storage for large blobs and keep metadata/authorization separate in the API tier.
• •Search: Use primary store for writes and async index updates for search relevance + scale.
• •Monitoring: Instrument golden signals (latency, traffic, errors, saturation) per tier and per tenant/domain.

4) Reliability and Failure Strategy

• •Use strong write constraints (transactions or conditional writes) and explicit backup/restore strategy.
• •Guarantee idempotent consumers and trace every message with correlation IDs.
• •Enforce lifecycle policies, retention tiers, and checksum validation.
• •Track indexing lag and support reindex from source of truth.
• •Alert on user-impact SLOs, not only infrastructure metrics.

5) Validation Plan

• •Run one peak-load test, one dependency-degradation test, and one failover test.
• •Verify idempotency for all retried writes and async consumers.
• •Track user-facing SLOs first: p95 latency, error rate, and successful throughput.

6) Trade-offs to Call Out in Interviews

• •Databases: SQL gives stronger transactional guarantees; NoSQL often gives better write scaling and flexibility.
• •Message Queues: Async pipelines absorb spikes well, but increase eventual-consistency complexity.
• •Storage: Object storage is cheap and durable, but random low-latency reads are weaker than databases/caches.
• •Search: Search index gives rich querying but introduces eventual consistency and index ops overhead.
• •Monitoring: Deep observability speeds incident response but raises ingestion and tooling costs.

Practical Notes

• •Elasticsearch for hot storage (7 days), with index-per-day rotation. Delete old indices automatically.
• •Ingest via Kafka - decouple producers from the indexing pipeline. Kafka also acts as a buffer during traffic spikes.
• •Live tail: subscribe to the Kafka topic with filters, push matching entries via WebSocket to the browser.