The following is an expert from a design document for a major feature in RavenDB 4.0 that I’m currently reviewing, written by Tal.
One of the major problems when debugging such issues in production is the fact that most of the interesting information resides in memory and goes away when the server restarts. The sad thing is that the first thing an admin will do when having issues with the server is to recycle it, giving us very little to work with. Yes, we have logs, but debug-level logs are very expensive and usually are not enabled in production (nor should they). We already have the ability to turn logs on on a production system, which is a great option, but not enough. The root cause of a raft problem usually resides in the past, so unless we have logs from the beginning of time, there is not much use for them. The suggested solution is a persistent log for important events that indicate that things went south.
This is based on our experience (and frustration) with diagnosing production issues. By the time the admin sees something is wrong, the problem already occurred, and in the process of handling the problem, the admin will typically focus on fixing it rather than figuring out what exactly is going on.
Those kinds of features, focusing explicitly on giving us enough information to find the root cause of the issue, have been an ongoing effort for us. Yesterday, they enabled us to get a debug package from a customer (a ZIP file that the server can generate with a lot of important information), go through it, and figure out exactly what the problem was (the customer was running in 32 bits mode and running into virtual memory exhaustion) in one support roundtrip rather than having to go back and forth multiple times to try to get a bunch of different data points to figure out the issue.
Also, go and read Release It. It has a huge impact on actual system design.