Inferensys

Glossary

Log Levels

Log levels are a hierarchical categorization system for log messages based on severity, used to filter output, control verbosity, and prioritize alerts in software observability.
AI evaluator reviewing output quality on laptop, comparison metrics visible, casual evaluation session.
AUDIT LOGGING FOR TOOL USE

What is Log Levels?

Log levels are a hierarchical categorization system for log messages based on their severity and intended audience, enabling granular control over logging verbosity and filtering.

Log levels are a standardized, hierarchical classification system (e.g., DEBUG, INFO, WARN, ERROR, FATAL) that assigns a severity to each log message. This hierarchy allows developers and systems to filter output based on urgency, controlling verbosity from detailed development traces to only critical production alerts. In audit logging for tool use, levels like INFO record successful invocations, while ERROR captures failed API calls, enabling precise monitoring of agent behavior. This mechanism is foundational to observability, working alongside structured logging and distributed tracing.

The primary function is to separate operational signals from noise. During development, DEBUG levels provide exhaustive detail for troubleshooting, while in production, the level is typically elevated to WARN or ERROR to reduce volume and cost. For compliance logging, levels ensure that all security-relevant events (e.g., authentication failures logged as ERROR) are captured immutably. Effective use requires a defined log retention policy and integration with log aggregation systems like a SIEM for real-time anomaly detection and root cause analysis during incidents.

RFC 5424 & COMMON PRACTICE

Standard Log Levels: Hierarchy and Purpose

A comparison of standard log severity levels, their typical use cases, and how they are filtered in production systems.

Log LevelNumeric SeverityPrimary Use CaseProduction VisibilityAudit Relevance

FATAL / EMERGENCY

0-1

System is unusable. A catastrophic failure requiring immediate intervention.

Critical

ERROR

3

Operation failed. A serious issue that prevented a specific function but the application may continue.

High

WARN

4

Unexpected event or potential problem. The application is functioning but in a degraded or unexpected state.

Medium

INFO

6

Normal operational events. Tracks the flow and state of the application for general understanding.

Low

DEBUG

7

Detailed diagnostic information for developers. Used to trace execution flow and variable states.

None

TRACE

7

Finest-grained informational events, such as entering/exiting a function. Used for deep code path analysis.

None

AUDIT LOGGING FOR TOOL USE

Key Characteristics of Log Levels

Log levels provide a hierarchical, severity-based filtering mechanism for system events, enabling precise control over logging verbosity from verbose debugging to critical failures.

01

Hierarchical Severity

Log levels are arranged in a strict hierarchy of increasing severity. This allows for filtering: setting a level like WARN will capture all WARN, ERROR, and FATAL messages, but exclude INFO and DEBUG. Common hierarchies include:

  • DEBUG: Detailed internal state for developers.
  • INFO: Confirmation of normal operations.
  • WARN: Potentially harmful situations.
  • ERROR: A failure in a specific operation.
  • FATAL/CRITICAL: Severe errors causing application abort.
02

Operational vs. Diagnostic

Levels serve distinct operational purposes. INFO, WARN, ERROR, and FATAL are for production monitoring, alerting, and understanding system health. DEBUG is purely diagnostic, providing granular, often computationally expensive details about internal state, variable values, and execution paths. It is typically disabled in production to preserve performance and reduce log volume.

03

Contextual Enrichment

Effective logging at any level requires structured logging with rich, machine-readable context. Each log entry should be more than a message; it must include immutable metadata such as:

  • Timestamp (ISO 8601).
  • Correlation/Trace ID for distributed tracing.
  • User/Session ID.
  • Tool/Function Name invoked.
  • Request Parameters (with PII redaction).
  • Host/Service Identifier. This context is critical for root cause analysis and forensic readiness.
04

Performance and Cost Impact

Logging verbosity directly impacts system performance and operational cost. DEBUG-level logging can generate orders of magnitude more data than INFO, consuming CPU for generation, network bandwidth for aggregation, and storage. A log retention policy and strategic use of sampling for verbose levels are essential for cost control. Real-time monitoring typically focuses on WARN and above to avoid alert fatigue.

05

Compliance and Audit Mandates

For audit logging, specific levels are often mandated. Regulatory frameworks like GDPR, HIPAA, and SOX require the immutable recording of all security-relevant events, which typically map to INFO (access grants), WARN (policy violations), and ERROR (authentication failures). These logs must be tamper-evident and stored in WORM (Write-Once, Read-Many) storage to ensure non-repudiation and support the chain of custody for digital evidence.

06

Integration with Observability

Log levels are one pillar of the observability triad, alongside metrics and distributed traces. They integrate into broader platforms:

  • SIEM (Security Information and Event Management): Ingests WARN and above for threat detection.
  • APM (Application Performance Monitoring): Correlates ERROR logs with trace spans and service metrics.
  • OpenTelemetry: Can bridge semantic conventions between log levels and trace severity. Effective log aggregation and parsing are required to make this data actionable.
AUDIT LOGGING FOR TOOL USE

Frequently Asked Questions

Essential questions and answers about log levels, the hierarchical system for categorizing the severity of log messages in AI agent systems and software applications.

Log levels are a hierarchical categorization system (e.g., DEBUG, INFO, WARN, ERROR, FATAL) that assigns a severity to each log message, enabling developers and systems to filter, route, and respond to events based on their importance. They are critical for managing verbosity, separating operational noise from critical alerts, and ensuring observability in complex systems like AI agents that invoke external tools. By setting a minimum log level (e.g., WARN), you can suppress less important messages in production, reducing storage costs and focusing attention on events that require action, such as a failed API call (ERROR) or a system crash (FATAL).

Prasad Kumkar

About the author

Prasad Kumkar

CEO & MD, Inference Systems

Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.

His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.