System architecture
This page explains the high-level system model behind logging24: how logs are ingested, how they are organized, how queries are answered, and how access control fits around that model.
For new readers, this chapter fits directly after Getting Started . It gives you the mental model needed before choosing a long-term forwarding setup or building more exact queries.
Ingestion
Logs reach logging24 through forwarding agents or integrations running in your environment. Those forwarders authenticate with write tokens and send log events to the ingest backends.
For operational guidance on how to send logs, continue to Forwarding . This page focuses on what the system looks like after the data arrives.
Log streams and prefixes
Incoming logs are assigned to log streams. Each stream is labeled with up to four textual dimensions,
prefix0
through
prefix3
. Typical deployments use
prefix0
for host or environment and
prefix1
for service or logfile.
These prefixes are central to the platform for two reasons:
- Queries use them to narrow the search scope before regex matching starts.
- Permissions use them to define what a reader, writer, or admin may access.
Storage and search
Logs are stored in internal blocks. Queries scan blocks that are relevant for the selected time range and prefixes, then apply the full-line regex match. Because the scan starts from a narrower candidate set, shorter time windows and more specific prefixes usually produce faster queries.
logging24 can reuse work from earlier scans through transparent caching and partial-result reuse, especially while clients poll an in-progress query.
Analysis model
Most user-facing analysis happens either in the web UI or through the HTTP API. The same underlying query engine powers both.
At a high level, a query consists of:
- Select a customer account.
- Restrict the scan by prefixes.
- Restrict the scan by time range.
- Apply the regex and optional captures for counting, grouping, or numeric analysis.
Continue with Querying for the full search model and API Reference for the HTTP surface.
Access control
logging24 uses three main permission roles:
| Writer | May ingest logs into the log streams allowed by the write token. |
| Reader | May query logs within the allowed prefix scope. |
| Admin | May configure streams and permissions within the allowed prefix scope. |
Read and admin permissions are prefix-based. For example, a permission scoped to
prefix0 = "com.example"
applies to log streams whose
prefix0
begins with that value, while leaving the other prefix dimensions available for further filtering.
Why this model matters operationally
- Prefix naming and forwarding design influences how useful your prefixes are later during search and access control.
- Token scope matters because it directly controls what can be ingested, searched, or administered.