Structured logging: build a production logging pipeline

Take a small HTTP service (Node/Go/JVM/Python) and build a production-grade structured logging pipeline end to end: an OTel-shaped schema, level-driven routing, collector-tier sampling, two-layer PII redaction, automatic trace_id correlation, and a separated audit-log subsystem — proving each property with a query, a test, or a before/after measurement.

• Build or take a small HTTP service with at least three endpoints: a success path (e.g. GET /orders), a failing path (e.g. a downstream call that returns 5xx), and a sensitive path (e.g. POST /signup that receives an email, password, and auth header).
• Emit OTel-shaped JSON logs to stdout: every line carries timestamp, level/SeverityNumber, service.name, message, and event-specific attributes using OTel Semantic Convention names (http.route, http.response.status_code, error.type). Set resource attributes (service.name, service.version, deployment.environment) once at startup.
• Classify levels correctly: INFO on the success path (request_completed), WARN for a recoverable retry/fallback, ERROR for a 5xx that left work undone. Show that ERROR/FATAL would page and WARN would route to a dashboard, even if only documented in a routing table.
• Auto-inject trace_id and span_id from the active span via the logger hook (pino mixin / slog handler / structlog processor / MDC). Include at least one async code path (setTimeout, goroutine, or thread) and make its log line carry the inbound trace_id.
• Add two-layer PII redaction: a logger SDK deny-list at the source for known paths (req.headers.authorization, body.password, user.email) AND a collector-tier regex scrubber for email/card-like patterns regardless of field name. Log opaque user_id, never email or name.
• Pass user input as typed attributes only — never interpolate it into the message string. Add a test that submits a comment containing a newline + a forged ERROR JSON object and asserts the output is still exactly one log record (CWE-117 prevented).
• Configure collector-tier sampling: success-path sampling that keeps ~10% of INFO but 100% of WARN and ERROR. Capture before/after daily-volume numbers under the same load.
• Route audit events (login, role grant, regulated-data access) by a category='audit' attribute to a separate pipeline and index with longer retention, append-only/immutable storage, and narrower access than operational logs.

• A captured log line from each endpoint showing the full OTel schema, correct level, and a non-zero trace_id — including the async path's line carrying the inbound trace_id.
• A before/after volume table proving success-path sampling cut INFO by ~90% while a query confirms 100% of WARN/ERROR survived.
• Evidence the sensitive endpoint leaks no PII: a query over the indexed logs for the test email/password/token returns zero hits, and the redaction holds even when the test deliberately dumps the whole request body on error.
• The CWE-117 test passes: the forged-newline comment produces exactly one log record, not two.
• An audit event lands in the audit index (not the operational index) and a query shows the operational index's retention/access policy differs from the audit index's.
• A one-paragraph write-up: which layer caught what (source deny-list vs collector scrubber), why sampling is severity-aware, and what breaks if audit and operational logs share an index.