PHP From ZeroModern PHP course

deployment and operations

Logs

Logs explain what an application and runtime did. Useful logs are structured enough to search, correlated across a request or job, and careful not to leak secrets or unnecessary personal data. Logging everything is not the goal; the goal is to make failures diagnosable without creating another data leak.

  • Log request, job, or correlation IDs.
  • Use severity levels consistently.
  • Keep secrets, tokens, and passwords out of logs.

Trigger A Known Failure

  • Send logs to an operator-visible destination.
  • Trigger known failures.
  • Verify retention and access controls.

Keep Sensitive Data Out

  • Silent failures are hard to operate.
  • Verbose logs can become a data leak.
  • Local files disappear in disposable runtimes.

Structured Log Shape

{
  "level": "error",
  "message": "payment gateway timeout",
  "request_id": "req_01J...",
  "order_id": 9001,
  "secret": "never log this field"
}

Verify where logs go in the real runtime. Local files may disappear with disposable containers, and a log collector is useless if the team cannot search it or does not know the retention policy. Test one controlled failure in staging and trace it from the user-visible error to the relevant events.

Practice

Practice: Design A Logging Checklist

Design the minimum useful logging for a checkout request that calls a payment provider and dispatches a receipt job. Identify fields that must never be logged.

Requirements

  • Log request, job, or correlation IDs.
  • Use severity levels consistently.
  • Keep secrets, tokens, and passwords out of logs.
  • Send logs to an operator-visible destination.
  • Trigger known failures.
  • Verify retention and access controls.
Show solution

Generate a request or correlation ID at the boundary and carry it into payment and receipt-job logs. Include useful business identifiers such as an order ID, a severity level, and a concise event message.

Never log passwords, session IDs, access tokens, secret keys, or full payment details. Send staging logs to the operator-visible destination, trigger a controlled payment failure, and confirm that the request can be traced without exposing sensitive values.