--- title: "Best practices for creating custom logs - part i" page_name: "Best Practices for Creating Custom Logs – Part I" type: "blog" slug: "best-practices-creating-custom-logs-overview" published_at: "2017-04-20" modified_at: "2026-01-30" url: "https://www.sumologic.com/blog/best-practices-creating-custom-logs-overview" canonical: "https://www.sumologic.com/blog/best-practices-creating-custom-logs-overview" markdown_url: "https://www.sumologic.com/blog/best-practices-creating-custom-logs-overview.md" lang: "en" excerpt: "Logging events in your system is important to analyze trends. Make sure you have a plan to know how to create custom logs for your applications." --- [ All blogs ](https://www.sumologic.com/blog "blog") # Best Practices for Creating Custom Logs – Part I [Dan Reichert](#blog-author-block-97) April 20, 2017 2 min read ##### Table of contents ## Overview When logging information about your operating system, services, network, or anything else, usually there’s predefined log structures in place by the vendor. There are times when there aren’t predefined logs created by some software or you have custom application logs from your own software. Without properly planning your log syntax you’ll be using, things can get messy and your data may lose its integrity to properly tell the story. These best practices for creating custom logs can be applied to most logging solutions. ##### The 5 W’s There are 5 critical components of a good log structure\*: - *When did it happen* (timestamp) - *What happened* (e.g., error codes, impact level, etc) - *Where did it happen* (e.g., hostnames, gateways, etc) - *Who was involved* (e.g., usernames) - *Where he, she, or it came from* (e.g., source IP) Additionally, your custom logs should have a standard syntax that is easy to parse with distinct delimiters, a key-value pair, or a combination of both. An example of a good custom log is as follows: ``` 2017-04-10 09:50:32 -0700 - dan12345 - 10.0.24.123 - GET - /checkout/flight/ - credit.payments.io - Success - 2 - 241.98 ``` This log message shows when it was performed, what was performed, where it happened in your system, who performed it, and where that user came from. It’s also structured cleanly with a space-dash-space as the delimiters of each field. Optionally, you can also have key-value pairs to assist with parsing: ``` timestamp: 2017-04-10 09:50:32 -0700 - username: dan12345 - source_ip: 10.0.24.123 - method: GET - resource: /checkout/flight/ - gateway: credit.payments.io - audit: Success - flights_purchased: 2 - value: 241.98 ``` Once you have your log syntax and what will be going into the logs, **be sure to document this somewhere.** You can document it by adding a comment at the top of each log file. Without documentation, you may forget or someone may not know what something like “2” or “241.98” represents (for this example, it means 2 flights in the checkout at a value of $241.98). You can document our log syntax as such: ``` Timestamp - username - user_ip - method - resource - gateway - audit - flights_purchased - value ``` In the [second part](https://www.sumologic.com/blog/log-management-analysis/best-practices-creating-custom-logs-diving-deeper/) of this three part series, we’ll go into deeper details around timestamps and log content. In the [final part](https://www.sumologic.com/blog/log-management-analysis/best-practices-creating-custom-logs-diving-even-deeper/), we’ll go even deeper into log syntax and documentation. --- *\*Source: Logging and Log Management: The Authoritative Guide to Understanding the Concepts Surrounding Logging and Log Management.* Chuvakin, A., Phillips, C., & Schmidt, K. J. (2013). Dan Reichert Dan Reichert is a Sales Engineer at Sumo Logic with over a decade of experience in technology in the US Army, IBM, and various startups. He is a graduate of the iSchool at Syracuse University with a masters degree in Information Management and University of Central Florida with a bachelors degree in Information Systems Technology. He is an AWS Certified Solutions Architect – Associate. [](https://www.sumologic.com/feed "RSS Feed")[](https://twitter.com/intent/tweet?text=Best%20Practices%20for%20Creating%20Custom%20Logs%20-%20Part%20I&url=https%3A%2F%2Fwww.sumologic.com%2Fblog%2Fbest-practices-creating-custom-logs-overview "X")[](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Fwww.sumologic.com%2Fblog%2Fbest-practices-creating-custom-logs-overview "Facebook")[](https://www.linkedin.com/sharing/share-offsite/?url=https%3A%2F%2Fwww.sumologic.com%2Fblog%2Fbest-practices-creating-custom-logs-overview "Linkedin") [Previous blog Top Patterns for Building a Successful Microservices Architecture](https://www.sumologic.com/blog/top-patterns-building-successful-microservices-architecture)[Next blog Add Logging to Your Apps with the New Sumo Logic Javascript Logging SDK](https://www.sumologic.com/blog/javascript-logging-sdk) [AI Instructions](https://www.sumologic.com/ai-instructions.md)