github.com/uber-go/zap

Zap delivers on its promise of zero-allocation logging with a well-designed API that balances performance and ergonomics. The distinction between Logger and SugaredLogger is brilliant—use Logger for hot paths where every allocation matters, then switch to SugaredLogger when you need printf-style convenience. The strongly-typed field API (zap.String(), zap.Int(), etc.) feels verbose initially but provides compile-time safety and impressive performance gains.

The initialization experience is smooth with sensible presets like NewProduction() and NewDevelopment() that work out of the box. Custom configurations via zapcore give you precise control over encoders, outputs, and sampling without fighting the framework. Error messages are clear when field types mismatch, and the stack trace capture integrations work reliably.

One gotcha: remembering to call logger.Sync() before shutdown isn't obvious from basic examples. The structured logging approach also requires team buy-in since it's a departure from fmt.Printf patterns. Documentation is comprehensive with good examples, though finding specific zapcore customization patterns sometimes requires digging through issues.

Zap has been my go-to structured logger for years in production Go services. The API is clean with zap.String(), zap.Int() field constructors that make structured logging straightforward. Performance is genuinely excellent - the zero-allocation design matters in high-throughput services. The library itself has minimal dependencies (just multierr and atomic from the same org), reducing supply chain exposure.

From a security perspective, Zap doesn't automatically sanitize sensitive data - you must be deliberate about what you log. It won't redact passwords, tokens, or PII unless you handle it yourself. The structured format helps since you control field names, but it's easy to accidentally log request bodies or headers containing secrets. Error logging can expose stack traces with internal paths, which is fine for internal logs but needs filtering if logs go to third parties.

The library follows secure defaults: no eval, no external dependencies beyond Uber's own packages, and predictable behavior. TLS/crypto isn't applicable here. My main caution is around log injection - user input in log messages needs validation to prevent log forging, though the structured API mitigates this compared to printf-style logging.

Zap has been my go-to logging library for high-throughput services where allocation overhead matters. The zero-allocation API (SugaredLogger adds some convenience with minor overhead) consistently outperforms alternatives by orders of magnitude. In practice, this means logging doesn't become a bottleneck even at 100k+ logs/sec per instance.

The structured logging API is well-designed with strongly-typed field constructors (zap.String, zap.Int, etc.) that prevent reflection overhead. The sampling and level-based logging work flawlessly under load. Hook integration for custom outputs or metric emission is straightforward. Configuration via JSON/YAML works reliably, though I prefer programmatic setup for better type safety.

One gotcha: you must call logger.Sync() on shutdown or risk losing buffered logs. The SugaredLogger's Printf-style API is tempting but adds allocations—stick with the structured API in hot paths. Error handling is clean with logger.With() for context propagation. Overall, it's remarkably stable across versions with minimal breaking changes.