core/logging: change log.Error function (#5251)

* core/logging: change log.Error function * use request id
2025-06-27 15:08:14 +02:00 · 2024-09-05 15:42:46 -06:00 · 2024-09-05 15:42:46 -06:00 · dad954ae16
commit dad954ae16
parent 97bf5edc54
66 changed files with 163 additions and 166 deletions
--- a/authenticate/authenticate.go
+++ b/authenticate/authenticate.go
@ -71,7 +71,7 @@ func (a *Authenticate) OnConfigChange(ctx context.Context, cfg *config.Config) {
 	a.options.Store(cfg.Options)
 	if state, err := newAuthenticateStateFromConfig(cfg, a.cfg); err != nil {
-		log.Error(ctx).Err(err).Msg("authenticate: failed to update state")
+		log.Ctx(ctx).Error().Err(err).Msg("authenticate: failed to update state")
 	} else {
 		a.state.Store(state)
 	}
--- a/authenticate/handlers.go
+++ b/authenticate/handlers.go
@ -234,7 +234,7 @@ func (a *Authenticate) signOutRedirect(w http.ResponseWriter, r *http.Request) e
 	if err := authenticator.SignOut(w, r, rawIDToken, authenticateSignedOutURL, signOutURL); err == nil {
 		return nil
 	} else if !errors.Is(err, oidc.ErrSignoutNotImplemented) {
-		log.Error(r.Context()).Err(err).Msg("authenticate: failed to get sign out url for authenticator")
+		log.Ctx(r.Context()).Error().Err(err).Msg("authenticate: failed to get sign out url for authenticator")
 	}
 	// if the authenticator failed to sign out, and no sign out url is defined, just go to the signed out page
--- a/authorize/access_tracker.go
+++ b/authorize/access_tracker.go
@ -70,7 +70,7 @@ func (tracker *AccessTracker) Run(ctx context.Context) {
 	}
 	runSubmit := func() {
 		if dropped := atomic.SwapInt64(&tracker.droppedAccesses, 0); dropped > 0 {
-			log.Error(ctx).
+			log.Ctx(ctx).Error().
 				Int64("dropped", dropped).
 				Msg("authorize: failed to track all session accesses")
 		}
@ -84,7 +84,7 @@ func (tracker *AccessTracker) Run(ctx context.Context) {
 			return err == nil
 		})
 		if err != nil {
-			log.Error(ctx).Err(err).Msg("authorize: error updating session last access timestamp")
+			log.Ctx(ctx).Error().Err(err).Msg("authorize: error updating session last access timestamp")
 			return
 		}
@ -93,7 +93,7 @@ func (tracker *AccessTracker) Run(ctx context.Context) {
 			return err == nil
 		})
 		if err != nil {
-			log.Error(ctx).Err(err).Msg("authorize: error updating service account last access timestamp")
+			log.Ctx(ctx).Error().Err(err).Msg("authorize: error updating service account last access timestamp")
 			return
 		}
--- a/authorize/authorize.go
+++ b/authorize/authorize.go
@ -151,7 +151,7 @@ func (a *Authorize) OnConfigChange(ctx context.Context, cfg *config.Config) {
 	currentState := a.state.Load()
 	a.currentOptions.Store(cfg.Options)
 	if state, err := newAuthorizeStateFromConfig(cfg, a.store, currentState.evaluator); err != nil {
-		log.Error(ctx).Err(err).Msg("authorize: error updating state")
+		log.Ctx(ctx).Error().Err(err).Msg("authorize: error updating state")
 	} else {
 		a.state.Store(state)
 	}
--- a/authorize/check_response.go
+++ b/authorize/check_response.go
@ -178,7 +178,7 @@ func (a *Authorize) deniedResponse(
 		var err error
 		respBody, err = io.ReadAll(resp.Body)
 		if err != nil {
-			log.Error(ctx).Err(err).Msg("error executing error template")
+			log.Ctx(ctx).Error().Err(err).Msg("error executing error template")
 			return nil, err
 		}
 		// convert go headers to envoy headers
--- a/authorize/evaluator/evaluator.go
+++ b/authorize/evaluator/evaluator.go
@ -183,7 +183,7 @@ func getOrCreatePolicyEvaluators(
 	evals, errs := errgrouputil.Build(ctx, builders...)
 	if len(errs) > 0 {
 		for _, err := range errs {
-			log.Error(ctx).Msg(err.Error())
+			log.Ctx(ctx).Error().Msg(err.Error())
 		}
 		return nil, fmt.Errorf("authorize: error building policy evaluators")
 	}
--- a/authorize/evaluator/google_cloud_serverless.go
+++ b/authorize/evaluator/google_cloud_serverless.go
@ -47,7 +47,7 @@ var (
 		headers, err := getGoogleCloudServerlessHeaders(string(serviceAccount), string(audience))
 		if err != nil {
-			log.Error(context.Background()).Err(err).Msg("error retrieving google cloud serverless headers")
+			log.Error().Err(err).Msg("error retrieving google cloud serverless headers")
 			return nil, fmt.Errorf("failed to get google cloud serverless headers: %w", err)
 		}
 		var kvs [][2]*ast.Term
--- a/authorize/grpc.go
+++ b/authorize/grpc.go
@ -66,7 +66,7 @@ func (a *Authorize) Check(ctx context.Context, in *envoy_service_auth_v3.CheckRe
 	req, err := a.getEvaluatorRequestFromCheckRequest(ctx, in, sessionState)
 	if err != nil {
-		log.Error(ctx).Err(err).Str("request-id", requestID).Msg("error building evaluator request")
+		log.Ctx(ctx).Error().Err(err).Str("request-id", requestID).Msg("error building evaluator request")
 		return nil, err
 	}
@ -75,7 +75,7 @@ func (a *Authorize) Check(ctx context.Context, in *envoy_service_auth_v3.CheckRe
 	res, err := state.evaluator.Evaluate(ctx, req)
 	a.stateLock.RUnlock()
 	if err != nil {
-		log.Error(ctx).Err(err).Str("request-id", requestID).Msg("error during OPA evaluation")
+		log.Ctx(ctx).Error().Err(err).Str("request-id", requestID).Msg("error during OPA evaluation")
 		return nil, err
 	}
@ -86,7 +86,7 @@ func (a *Authorize) Check(ctx context.Context, in *envoy_service_auth_v3.CheckRe
 	resp, err := a.handleResult(ctx, in, req, res)
 	if err != nil {
-		log.Error(ctx).Err(err).Str("request-id", requestID).Msg("grpc check ext_authz_error")
+		log.Ctx(ctx).Error().Err(err).Str("request-id", requestID).Msg("grpc check ext_authz_error")
 	}
 	a.logAuthorizeCheck(ctx, in, resp, res, s, u)
 	return resp, err
@ -195,7 +195,7 @@ func getClientCertificateInfo(
 	chain, err := url.QueryUnescape(escapedChain)
 	if err != nil {
-		log.Error(ctx).Str("chain", escapedChain).Err(err).
+		log.Ctx(ctx).Error().Str("chain", escapedChain).Err(err).
 			Msg(`received unexpected client certificate "chain" value`)
 		return c
 	}
@ -203,7 +203,7 @@ func getClientCertificateInfo(
 	// Split the chain into the leaf and any intermediate certificates.
 	p, rest := pem.Decode([]byte(chain))
 	if p == nil {
-		log.Error(ctx).Str("chain", escapedChain).
+		log.Ctx(ctx).Error().Str("chain", escapedChain).
 			Msg(`received unexpected client certificate "chain" value (no PEM block found)`)
 		return c
 	}
--- a/authorize/internal/store/store.go
+++ b/authorize/internal/store/store.go
@ -64,7 +64,7 @@ func (s *Store) write(rawPath string, value any) {
 		return s.writeTxn(txn, rawPath, value)
 	})
 	if err != nil {
-		log.Error(ctx).Err(err).Msg("opa-store: error writing data")
+		log.Ctx(ctx).Error().Err(err).Msg("opa-store: error writing data")
 		return
 	}
 }
@ -125,7 +125,7 @@ func (s *Store) GetDataBrokerRecordOption() func(*rego.Rego) {
 		res, err := storage.GetQuerier(ctx).Query(ctx, req)
 		if err != nil {
-			log.Error(ctx).Err(err).Msg("authorize/store: error retrieving record")
+			log.Ctx(ctx).Error().Err(err).Msg("authorize/store: error retrieving record")
 			return ast.NullTerm(), nil
 		}
@ -149,7 +149,7 @@ func (s *Store) GetDataBrokerRecordOption() func(*rego.Rego) {
 		regoValue, err := ast.InterfaceToValue(obj)
 		if err != nil {
-			log.Error(ctx).Err(err).Msg("authorize/store: error converting object to rego")
+			log.Ctx(ctx).Error().Err(err).Msg("authorize/store: error converting object to rego")
 			return ast.NullTerm(), nil
 		}
--- a/authorize/log.go
+++ b/authorize/log.go
@ -66,7 +66,7 @@ func (a *Authorize) logAuthorizeCheck(
 		}
 		sealed, err := enc.Encrypt(record)
 		if err != nil {
-			log.Error(ctx).Err(err).Msg("authorize: error encrypting audit record")
+			log.Ctx(ctx).Error().Err(err).Msg("authorize: error encrypting audit record")
 			return
 		}
 		log.Info(ctx).
--- a/config/config_source.go
+++ b/config/config_source.go
@ -164,7 +164,7 @@ func (src *FileOrEnvironmentSource) check(ctx context.Context) {
 		cfg.Options = options
 		metrics.SetConfigInfo(ctx, cfg.Options.Services, "local", cfg.Checksum(), true)
 	} else {
-		log.Error(ctx).Err(err).Msg("config: error updating config")
+		log.Ctx(ctx).Error().Err(err).Msg("config: error updating config")
 		metrics.SetConfigInfo(ctx, cfg.Options.Services, "local", cfg.Checksum(), false)
 	}
 	src.config = cfg
--- a/config/envoyconfig/clusters.go
+++ b/config/envoyconfig/clusters.go
@ -249,7 +249,7 @@ func (b *Builder) buildInternalTransportSocket(
 	}
 	bs, err := getCombinedCertificateAuthority(cfg)
 	if err != nil {
-		log.Error(ctx).Err(err).Msg("unable to enable certificate verification because no root CAs were found")
+		log.Ctx(ctx).Error().Err(err).Msg("unable to enable certificate verification because no root CAs were found")
 	} else {
 		validationContext.TrustedCa = b.filemgr.BytesDataSource("ca.pem", bs)
 	}
@ -343,13 +343,13 @@ func (b *Builder) buildPolicyValidationContext(
 	} else if policy.TLSCustomCA != "" {
 		bs, err := base64.StdEncoding.DecodeString(policy.TLSCustomCA)
 		if err != nil {
-			log.Error(ctx).Err(err).Msg("invalid custom CA certificate")
+			log.Ctx(ctx).Error().Err(err).Msg("invalid custom CA certificate")
 		}
 		validationContext.TrustedCa = b.filemgr.BytesDataSource("custom-ca.pem", bs)
 	} else {
 		bs, err := getCombinedCertificateAuthority(cfg)
 		if err != nil {
-			log.Error(ctx).Err(err).Msg("unable to enable certificate verification because no root CAs were found")
+			log.Ctx(ctx).Error().Err(err).Msg("unable to enable certificate verification because no root CAs were found")
 		} else {
 			validationContext.TrustedCa = b.filemgr.BytesDataSource("ca.pem", bs)
 		}
--- a/config/envoyconfig/envoyconfig.go
+++ b/config/envoyconfig/envoyconfig.go
@ -175,7 +175,7 @@ func (b *Builder) envoyTLSCertificateFromGoTLSCertificate(
 			},
 		))
 	} else {
-		log.Error(ctx).Err(err).Msg("failed to marshal private key for tls config")
+		log.Ctx(ctx).Error().Err(err).Msg("failed to marshal private key for tls config")
 	}
 	for _, scts := range cert.SignedCertificateTimestamps {
 		envoyCert.SignedCertificateTimestamp = append(envoyCert.SignedCertificateTimestamp,
@ -207,7 +207,7 @@ func getRootCertificateAuthority() (string, error) {
 			}
 		}
 		if rootCABundle.value == "" {
-			log.Error(context.TODO()).Strs("known-locations", knownRootLocations).
+			log.Error().Strs("known-locations", knownRootLocations).
 				Msgf("no root certificates were found in any of the known locations")
 		} else {
 			log.Info(context.TODO()).Msgf("using %s as the system root certificate authority bundle", rootCABundle.value)
--- a/config/envoyconfig/filemgr/filemgr.go
+++ b/config/envoyconfig/filemgr/filemgr.go
@ -2,7 +2,6 @@
 package filemgr
 import (
 	"context"
 	"os"
 	"path/filepath"
 	"sync"
@ -38,7 +37,7 @@ func (mgr *Manager) init() {
 func (mgr *Manager) BytesDataSource(fileName string, data []byte) *envoy_config_core_v3.DataSource {
 	mgr.init()
 	if mgr.initErr != nil {
-		log.Error(context.Background()).Err(mgr.initErr).Msg("filemgr: error creating cache directory, falling back to inline bytes")
+		log.Error().Err(mgr.initErr).Msg("filemgr: error creating cache directory, falling back to inline bytes")
 		return inlineBytes(data)
 	}
@ -48,11 +47,11 @@ func (mgr *Manager) BytesDataSource(fileName string, data []byte) *envoy_config_
 	if _, err := os.Stat(filePath); os.IsNotExist(err) {
 		err = os.WriteFile(filePath, data, 0o600)
 		if err != nil {
-			log.Error(context.TODO()).Err(err).Msg("filemgr: error writing cache file, falling back to inline bytes")
+			log.Error().Err(err).Msg("filemgr: error writing cache file, falling back to inline bytes")
 			return inlineBytes(data)
 		}
 	} else if err != nil {
-		log.Error(context.TODO()).Err(err).Msg("filemgr: error reading cache file, falling back to inline bytes")
+		log.Error().Err(err).Msg("filemgr: error reading cache file, falling back to inline bytes")
 		return inlineBytes(data)
 	}
@ -75,7 +74,7 @@ func (mgr *Manager) ClearCache() {
 		return nil
 	})
 	if err != nil {
-		log.Error(context.Background()).Err(err).Msg("failed to clear envoy file cache")
+		log.Error().Err(err).Msg("failed to clear envoy file cache")
 	}
 }
--- a/config/envoyconfig/listeners.go
+++ b/config/envoyconfig/listeners.go
@ -600,7 +600,7 @@ func (b *Builder) buildDownstreamValidationContext(
 	if crl := cfg.Options.DownstreamMTLS.CRL; crl != "" {
 		bs, err := base64.StdEncoding.DecodeString(crl)
 		if err != nil {
-			log.Error(ctx).Err(err).Msg("invalid client CRL")
+			log.Ctx(ctx).Error().Err(err).Msg("invalid client CRL")
 		} else {
 			vc.Crl = b.filemgr.BytesDataSource("client-crl.pem", bs)
 		}
@ -628,7 +628,7 @@ func clientCABundle(ctx context.Context, cfg *config.Config) []byte {
 		}
 		ca, err := base64.StdEncoding.DecodeString(p.TLSDownstreamClientCA)
 		if err != nil {
-			log.Error(ctx).Stringer("policy", p).Err(err).Msg("invalid client CA")
+			log.Ctx(ctx).Error().Stringer("policy", p).Err(err).Msg("invalid client CA")
 			continue
 		}
 		addCAToBundle(&bundle, ca)
--- a/config/http.go
+++ b/config/http.go
@ -29,7 +29,7 @@ func NewHTTPTransport(src Source) *http.Transport {
 			}
 			lock.Unlock()
 		} else {
-			log.Error(ctx).Err(err).Msg("config: error getting cert pool")
+			log.Ctx(ctx).Error().Err(err).Msg("config: error getting cert pool")
 		}
 	}
 	src.OnConfigChange(context.Background(), update)
@ -80,7 +80,7 @@ func NewPolicyHTTPTransport(options *Options, policy *Policy, disableHTTP2 bool)
 			tlsClientConfig.MinVersion = tls.VersionTLS12
 			isCustomClientConfig = true
 		} else {
-			log.Error(context.TODO()).Err(err).Msg("config: error getting ca cert pool")
+			log.Error().Err(err).Msg("config: error getting ca cert pool")
 		}
 	}
@ -91,7 +91,7 @@ func NewPolicyHTTPTransport(options *Options, policy *Policy, disableHTTP2 bool)
 			tlsClientConfig.MinVersion = tls.VersionTLS12
 			isCustomClientConfig = true
 		} else {
-			log.Error(context.TODO()).Err(err).Msg("config: error getting custom ca cert pool")
+			log.Error().Err(err).Msg("config: error getting custom ca cert pool")
 		}
 	}
--- a/config/layered.go
+++ b/config/layered.go
@ -51,7 +51,7 @@ func (src *LayeredSource) rebuild(ctx context.Context, next *Config) *Config {
 	cfg := next.Clone()
 	if err := src.builder(cfg); err != nil {
-		log.Error(ctx).Err(err).Msg("building config")
+		log.Ctx(ctx).Error().Err(err).Msg("building config")
 		cfg = next
 	}
 	src.cfg = cfg
--- a/config/metrics.go
+++ b/config/metrics.go
@ -78,7 +78,7 @@ func (mgr *MetricsManager) updateInfo(ctx context.Context, cfg *Config) {
 	hostname, err := os.Hostname()
 	if err != nil {
-		log.Error(ctx).Err(err).Msg("telemetry/metrics: failed to get OS hostname")
+		log.Ctx(ctx).Error().Err(err).Msg("telemetry/metrics: failed to get OS hostname")
 		hostname = "__unknown__"
 	}
@ -108,7 +108,7 @@ func (mgr *MetricsManager) updateServer(ctx context.Context, cfg *Config) {
 		})
 	handler, err := metrics.PrometheusHandler(toInternalEndpoints(mgr.endpoints), mgr.installationID, defaultMetricsTimeout)
 	if err != nil {
-		log.Error(ctx).Err(err).Msg("metrics: failed to create prometheus handler")
+		log.Ctx(ctx).Error().Err(err).Msg("metrics: failed to create prometheus handler")
 		return
 	}
--- a/config/mtls.go
+++ b/config/mtls.go
@ -206,7 +206,7 @@ func mtlsEnforcementFromProtoEnum(
 	case config.MtlsEnforcementMode_REJECT_CONNECTION:
 		return MTLSEnforcementRejectConnection
 	default:
-		log.Error(ctx).Msgf("unknown mTLS enforcement mode %s", mode)
+		log.Ctx(ctx).Error().Msgf("unknown mTLS enforcement mode %s", mode)
 		return ""
 	}
 }
--- a/config/options.go
+++ b/config/options.go
@ -413,10 +413,10 @@ func checkConfigKeysErrors(configFile string, o *Options, unused []string) error
 		var evt *zerolog.Event
 		switch check.KeyAction {
 		case KeyActionError:
-			evt = log.Error(ctx)
+			evt = log.Ctx(ctx).Error()
 			err = errInvalidConfigKeys
 		default:
-			evt = log.Error(ctx)
+			evt = log.Ctx(ctx).Error()
 		}
 		evt.Str("config_file", configFile).Str("key", check.Key)
 		if check.DocsURL != "" {
@ -428,7 +428,7 @@ func checkConfigKeysErrors(configFile string, o *Options, unused []string) error
 	// check for unknown runtime flags
 	for flag := range o.RuntimeFlags {
 		if _, ok := defaultRuntimeFlags[flag]; !ok {
-			log.Error(ctx).Str("config_file", configFile).Str("flag", string(flag)).Msg("unknown runtime flag")
+			log.Ctx(ctx).Error().Str("config_file", configFile).Str("flag", string(flag)).Msg("unknown runtime flag")
 		}
 	}
@ -825,7 +825,7 @@ func (o *Options) UseStatelessAuthenticateFlow() bool {
 		} else if flow == "stateful" {
 			return false
 		}
-		log.Error(context.Background()).
+		log.Error().
 			Msgf("ignoring unknown DEBUG_FORCE_AUTHENTICATE_FLOW setting %q", flow)
 	}
 	u, err := o.GetInternalAuthenticateURL()
@ -1147,13 +1147,13 @@ func (o *Options) GetX509Certificates() []*x509.Certificate {
 	if o.CertFile != "" {
 		cert, err := cryptutil.ParsePEMCertificateFromFile(o.CertFile)
 		if err != nil {
-			log.Error(context.Background()).Err(err).Str("file", o.CertFile).Msg("invalid cert_file")
+			log.Error().Err(err).Str("file", o.CertFile).Msg("invalid cert_file")
 		} else {
 			certs = append(certs, cert)
 		}
 	} else if o.Cert != "" {
 		if cert, err := cryptutil.ParsePEMCertificateFromBase64(o.Cert); err != nil {
-			log.Error(context.Background()).Err(err).Msg("invalid cert")
+			log.Error().Err(err).Msg("invalid cert")
 		} else {
 			certs = append(certs, cert)
 		}
@ -1162,7 +1162,7 @@ func (o *Options) GetX509Certificates() []*x509.Certificate {
 	for _, c := range o.CertificateData {
 		cert, err := cryptutil.ParsePEMCertificate(c.GetCertBytes())
 		if err != nil {
-			log.Error(context.Background()).Err(err).Msg("invalid certificate")
+			log.Error().Err(err).Msg("invalid certificate")
 		} else {
 			certs = append(certs, cert)
 		}
@ -1171,7 +1171,7 @@ func (o *Options) GetX509Certificates() []*x509.Certificate {
 	for _, c := range o.CertificateFiles {
 		cert, err := cryptutil.ParsePEMCertificateFromFile(c.CertFile)
 		if err != nil {
-			log.Error(context.Background()).Err(err).Msg("invalid certificate_file")
+			log.Error().Err(err).Msg("invalid certificate_file")
 		} else {
 			certs = append(certs, cert)
 		}
@ -1481,12 +1481,12 @@ func (o *Options) applyExternalCerts(ctx context.Context, certsIndex *cryptutil.
 	for _, c := range certs {
 		cert, err := cryptutil.ParsePEMCertificate(c.GetCertBytes())
 		if err != nil {
-			log.Error(ctx).Err(err).Msg("parsing cert from databroker: skipped")
+			log.Ctx(ctx).Error().Err(err).Msg("parsing cert from databroker: skipped")
 			continue
 		}
 		if overlaps, name := certsIndex.OverlapsWithExistingCertificate(cert); overlaps {
-			log.Error(ctx).Err(err).Str("domain", name).Msg("overlaps with local certs: skipped")
+			log.Ctx(ctx).Error().Err(err).Str("domain", name).Msg("overlaps with local certs: skipped")
 			continue
 		}
--- a/config/trace.go
+++ b/config/trace.go
@ -90,7 +90,7 @@ func (mgr *TraceManager) OnConfigChange(ctx context.Context, cfg *Config) {
 	traceOpts, err := NewTracingOptions(cfg.Options)
 	if err != nil {
-		log.Error(ctx).Err(err).Msg("trace: failed to build tracing options")
+		log.Ctx(ctx).Error().Err(err).Msg("trace: failed to build tracing options")
 		return
 	}
@ -113,13 +113,13 @@ func (mgr *TraceManager) OnConfigChange(ctx context.Context, cfg *Config) {
 	mgr.provider, err = trace.GetProvider(traceOpts)
 	if err != nil {
-		log.Error(ctx).Err(err).Msg("trace: failed to register exporter")
+		log.Ctx(ctx).Error().Err(err).Msg("trace: failed to register exporter")
 		return
 	}
 	err = mgr.provider.Register(traceOpts)
 	if err != nil {
-		log.Error(ctx).Err(err).Msg("trace: failed to register exporter")
+		log.Ctx(ctx).Error().Err(err).Msg("trace: failed to register exporter")
 		return
 	}
 }
--- a/databroker/cache.go
+++ b/databroker/cache.go
@ -118,7 +118,7 @@ func New(cfg *config.Config, eventsMgr *events.Manager) (*DataBroker, error) {
 func (c *DataBroker) OnConfigChange(ctx context.Context, cfg *config.Config) {
 	err := c.update(ctx, cfg)
 	if err != nil {
-		log.Error(ctx).Err(err).Msg("databroker: error updating configuration")
+		log.Ctx(ctx).Error().Err(err).Msg("databroker: error updating configuration")
 	}
 	c.dataBrokerServer.OnConfigChange(ctx, cfg)
@ -174,7 +174,7 @@ func (c *DataBroker) update(ctx context.Context, cfg *config.Config) error {
 	if cfg.Options.SupportsUserRefresh() {
 		authenticator, err := identity.NewAuthenticator(oauthOptions)
 		if err != nil {
-			log.Error(ctx).Err(err).Msg("databroker: failed to create authenticator")
+			log.Ctx(ctx).Error().Err(err).Msg("databroker: failed to create authenticator")
 		} else {
 			options = append(options, manager.WithAuthenticator(authenticator))
 			legacyOptions = append(legacyOptions, legacymanager.WithAuthenticator(authenticator))
--- a/databroker/databroker.go
+++ b/databroker/databroker.go
@ -42,7 +42,7 @@ func newDataBrokerServer(cfg *config.Config) (*dataBrokerServer, error) {
 func (srv *dataBrokerServer) OnConfigChange(ctx context.Context, cfg *config.Config) {
 	opts, err := srv.getOptions(cfg)
 	if err != nil {
-		log.Error(ctx).Err(err).Msg("databroker: error updating config changes")
+		log.Ctx(ctx).Error().Err(err).Msg("databroker: error updating config changes")
 		return
 	}
--- a/internal/authenticateflow/stateless.go
+++ b/internal/authenticateflow/stateless.go
@ -232,7 +232,7 @@ func (s *Stateless) PersistSession(
 	}
 	err = storeIdentityProfile(w, s.options.NewCookie(), s.cookieCipher, profile)
 	if err != nil {
-		log.Error(ctx).Err(err).Msg("failed to store identity profile")
+		log.Ctx(ctx).Error().Err(err).Msg("failed to store identity profile")
 	}
 	return nil
 }
@ -293,7 +293,7 @@ func (s *Stateless) logAuthenticateEvent(r *http.Request, profile *identitypb.Pr
 	ctx := r.Context()
 	pub, params, err := hpke.DecryptURLValues(s.hpkePrivateKey, r.Form)
 	if err != nil {
-		log.Error(ctx).Err(err).Msg("log authenticate event: failed to decrypt request params")
+		log.Ctx(ctx).Error().Err(err).Msg("log authenticate event: failed to decrypt request params")
 	}
 	evt := events.AuthEvent{
--- a/internal/autocert/manager.go
+++ b/internal/autocert/manager.go
@ -113,7 +113,7 @@ func newManager(ctx context.Context,
 	mgr.src.OnConfigChange(ctx, func(ctx context.Context, cfg *config.Config) {
 		err := mgr.update(ctx, cfg)
 		if err != nil {
-			log.Error(ctx).Err(err).Msg("autocert: error updating config")
+			log.Ctx(ctx).Error().Err(err).Msg("autocert: error updating config")
 			return
 		}
@ -131,7 +131,7 @@ func newManager(ctx context.Context,
 			case <-ticker.C:
 				err := mgr.renewConfigCerts(ctx)
 				if err != nil {
-					log.Error(ctx).Err(err).Msg("autocert: error updating config")
+					log.Ctx(ctx).Error().Err(err).Msg("autocert: error updating config")
 					return
 				}
 			}
@ -255,7 +255,7 @@ func (mgr *Manager) obtainCert(ctx context.Context, domain string, cm *certmagic
 		log.Info(ctx).Str("domain", domain).Msg("obtaining certificate")
 		err = cm.ObtainCertSync(ctx, domain)
 		if err != nil {
-			log.Error(ctx).Err(err).Msg("autocert failed to obtain client certificate")
+			log.Ctx(ctx).Error().Err(err).Msg("autocert failed to obtain client certificate")
 			return certmagic.Certificate{}, errObtainCertFailed
 		}
 		metrics.RecordAutocertRenewal()
@ -275,7 +275,7 @@ func (mgr *Manager) renewCert(ctx context.Context, domain string, cert certmagic
 		if expired {
 			return certmagic.Certificate{}, errRenewCertFailed
 		}
-		log.Error(ctx).Err(err).Msg("renew client certificated failed, use existing cert")
+		log.Ctx(ctx).Error().Err(err).Msg("renew client certificated failed, use existing cert")
 	}
 	return cm.CacheManagedCertificate(ctx, domain)
 }
@ -297,7 +297,7 @@ func (mgr *Manager) updateAutocert(ctx context.Context, cfg *config.Config) erro
 			cert, err = mgr.renewCert(ctx, domain, cert, cm)
 		}
 		if err != nil {
-			log.Error(ctx).Err(err).Msg("autocert: failed to obtain client certificate")
+			log.Ctx(ctx).Error().Err(err).Msg("autocert: failed to obtain client certificate")
 			continue
 		}
@ -340,7 +340,7 @@ func (mgr *Manager) updateServer(ctx context.Context, cfg *config.Config) {
 		log.Info(ctx).Str("addr", hsrv.Addr).Msg("starting http redirect server")
 		err := hsrv.ListenAndServe()
 		if err != nil {
-			log.Error(ctx).Err(err).Msg("failed to run http redirect server")
+			log.Ctx(ctx).Error().Err(err).Msg("failed to run http redirect server")
 		}
 	}()
 	mgr.srv = hsrv
@ -369,7 +369,7 @@ func (mgr *Manager) updateACMETLSALPNServer(ctx context.Context, cfg *config.Con
 	addr := net.JoinHostPort("127.0.0.1", cfg.ACMETLSALPNPort)
 	ln, err := net.Listen("tcp", addr)
 	if err != nil {
-		log.Error(ctx).Err(err).Msg("failed to run acme tls alpn server")
+		log.Ctx(ctx).Error().Err(err).Msg("failed to run acme tls alpn server")
 		return
 	}
 	mgr.acmeTLSALPNListener = ln
--- a/internal/controlplane/events.go
+++ b/internal/controlplane/events.go
@ -98,10 +98,10 @@ func withGRPCBackoff(ctx context.Context, f func() error) {
 		case status.Code(err) == codes.Unavailable,
 			status.Code(err) == codes.ResourceExhausted,
 			status.Code(err) == codes.DeadlineExceeded:
-			log.Error(ctx).Err(err).Msg("controlplane: error storing configuration event, retrying")
+			log.Ctx(ctx).Error().Err(err).Msg("controlplane: error storing configuration event, retrying")
 			// retry
 		default:
-			log.Error(ctx).Err(err).Msg("controlplane: error storing configuration event")
+			log.Ctx(ctx).Error().Err(err).Msg("controlplane: error storing configuration event")
 			return
 		}
--- a/internal/controlplane/grpc_accesslog.go
+++ b/internal/controlplane/grpc_accesslog.go
@ -21,7 +21,7 @@ func (srv *Server) StreamAccessLogs(stream envoy_service_accesslog_v3.AccessLogS
 	for {
 		msg, err := stream.Recv()
 		if err != nil {
-			log.Error(stream.Context()).Err(err).Msg("access log stream error, disconnecting")
+			log.Ctx(stream.Context()).Error().Err(err).Msg("access log stream error, disconnecting")
 			return err
 		}
--- a/internal/controlplane/server.go
+++ b/internal/controlplane/server.go
@ -215,7 +215,7 @@ func (srv *Server) Run(ctx context.Context) error {
 			case cfg := <-srv.updateConfig:
 				err := srv.update(ctx, cfg)
 				if err != nil {
-					log.Error(ctx).Err(err).
+					log.Ctx(ctx).Error().Err(err).
 						Msg("controlplane: error updating server with new config")
 				}
 			}
--- a/internal/databroker/config.go
+++ b/internal/databroker/config.go
@ -1,7 +1,6 @@
 package databroker
 import (
 	"context"
 	"crypto/tls"
 	"time"
@ -76,7 +75,7 @@ func WithGetSharedKey(getSharedKey func() ([]byte, error)) ServerOption {
 	return func(cfg *serverConfig) {
 		sharedKey, err := getSharedKey()
 		if err != nil {
-			log.Error(context.TODO()).Err(err).Msgf("shared key is required and must be %d bytes long", cryptutil.DefaultKeySize)
+			log.Error().Err(err).Msgf("shared key is required and must be %d bytes long", cryptutil.DefaultKeySize)
 			return
 		}
 		cfg.secret = sharedKey
--- a/internal/databroker/config_source.go
+++ b/internal/databroker/config_source.go
@ -102,7 +102,7 @@ func (src *ConfigSource) rebuild(ctx context.Context, firstTime firstTime) {
 	err := src.buildNewConfigLocked(ctx, cfg)
 	if err != nil {
 		health.ReportError(health.BuildDatabrokerConfig, err)
-		log.Error(ctx).Err(err).Msg("databroker: failed to build new config")
+		log.Ctx(ctx).Error().Err(err).Msg("databroker: failed to build new config")
 		return
 	}
 	health.ReportOK(health.BuildDatabrokerConfig)
@ -147,7 +147,7 @@ func (src *ConfigSource) buildNewConfigLocked(ctx context.Context, cfg *config.C
 		policies, errs = errgrouputil.Build(ctx, policyBuilders...)
 		if len(errs) > 0 {
 			for _, err := range errs {
-				log.Error(ctx).Msg(err.Error())
+				log.Ctx(ctx).Error().Msg(err.Error())
 			}
 			return fmt.Errorf("error building policies")
 		}
@ -262,7 +262,7 @@ func (src *ConfigSource) runUpdater(cfg *config.Config) {
 	cc, err := src.outboundGRPCConnection.Get(ctx, connectionOptions)
 	if err != nil {
-		log.Error(ctx).Err(err).Msg("databroker: failed to create gRPC connection to data broker")
+		log.Ctx(ctx).Error().Err(err).Msg("databroker: failed to create gRPC connection to data broker")
 		return
 	}
@ -312,7 +312,7 @@ func (s *syncerHandler) UpdateRecords(ctx context.Context, _ uint64, records []*
 		var cfgpb configpb.Config
 		err := record.GetData().UnmarshalTo(&cfgpb)
 		if err != nil {
-			log.Error(ctx).Err(err).Msg("databroker: error decoding config")
+			log.Ctx(ctx).Error().Err(err).Msg("databroker: error decoding config")
 			delete(s.src.dbConfigs, record.GetId())
 			continue
 		}
--- a/internal/databroker/server.go
+++ b/internal/databroker/server.go
@ -57,7 +57,7 @@ func (srv *Server) UpdateConfig(options ...ServerOption) {
 	if srv.backend != nil {
 		err := srv.backend.Close()
 		if err != nil {
-			log.Error(ctx).Err(err).Msg("databroker: error closing backend")
+			log.Ctx(ctx).Error().Err(err).Msg("databroker: error closing backend")
 		}
 		srv.backend = nil
 	}
@ -65,7 +65,7 @@ func (srv *Server) UpdateConfig(options ...ServerOption) {
 	if srv.registry != nil {
 		err := srv.registry.Close()
 		if err != nil {
-			log.Error(ctx).Err(err).Msg("databroker: error closing registry")
+			log.Ctx(ctx).Error().Err(err).Msg("databroker: error closing registry")
 		}
 		srv.registry = nil
 	}
--- a/internal/events/manager.go
+++ b/internal/events/manager.go
@ -1,7 +1,6 @@
 package events
 import (
 	"context"
 	"sync"
 	"github.com/google/uuid"
@ -29,7 +28,7 @@ func (mgr *Manager) Dispatch(evt Event) {
 	mgr.mu.RUnlock()
 	if dropped {
-		log.Error(context.Background()).
+		log.Error().
 			Interface("event", evt).
 			Msg("controlplane: dropping event due to full channel")
 	}
--- a/internal/fileutil/watcher.go
+++ b/internal/fileutil/watcher.go
@ -56,7 +56,7 @@ func (watcher *Watcher) Watch(ctx context.Context, filePaths []string) {
 		if watcher.pollingWatcher != nil {
 			err := watcher.pollingWatcher.Add(filePath)
 			if err != nil {
-				log.Error(ctx).Err(err).Str("file", filePath).Msg("fileutil/watcher: failed to add file to polling-based file watcher")
+				log.Ctx(ctx).Error().Err(err).Str("file", filePath).Msg("fileutil/watcher: failed to add file to polling-based file watcher")
 			}
 		}
 	}
@ -67,7 +67,7 @@ func (watcher *Watcher) Watch(ctx context.Context, filePaths []string) {
 		if watcher.pollingWatcher != nil {
 			err := watcher.pollingWatcher.Remove(filePath)
 			if err != nil {
-				log.Error(ctx).Err(err).Str("file", filePath).Msg("fileutil/watcher: failed to remove file from polling-based file watcher")
+				log.Ctx(ctx).Error().Err(err).Str("file", filePath).Msg("fileutil/watcher: failed to remove file from polling-based file watcher")
 			}
 		}
 	}
@ -88,7 +88,7 @@ func (watcher *Watcher) initLocked(ctx context.Context) {
 	// log errors
 	go func() {
 		for err := range errors {
-			log.Error(ctx).Err(err).Msg("fileutil/watcher: file notification error")
+			log.Ctx(ctx).Error().Err(err).Msg("fileutil/watcher: file notification error")
 		}
 	}()
--- a/internal/httputil/errors.go
+++ b/internal/httputil/errors.go
@ -74,7 +74,7 @@ func (e *HTTPError) ErrorResponse(ctx context.Context, w http.ResponseWriter, r
 	w.Header().Set(HeaderPomeriumResponse, "true")
 	if e.Status >= 400 {
-		log.Error(ctx).
+		log.Ctx(ctx).Error().
 			Err(e.Err).
 			Int("status", e.Status).
 			Str("status-text", StatusText(e.Status)).
--- a/internal/httputil/reproxy/reproxy.go
+++ b/internal/httputil/reproxy/reproxy.go
@ -137,7 +137,7 @@ func (h *Handler) Update(ctx context.Context, cfg *config.Config) {
 	for p := range cfg.Options.GetAllPolicies() {
 		id, err := p.RouteID()
 		if err != nil {
-			log.Error(ctx).Err(err).Msg("reproxy: error getting route id")
+			log.Ctx(ctx).Error().Err(err).Msg("reproxy: error getting route id")
 			continue
 		}
 		h.policies[id] = p
--- a/internal/httputil/server.go
+++ b/internal/httputil/server.go
@ -99,6 +99,6 @@ func Shutdown(srv *http.Server) {
 	defer cancel()
 	log.Info(context.TODO()).Str("signal", rec.String()).Msg("internal/httputil: shutting down servers")
 	if err := srv.Shutdown(ctx); err != nil {
-		log.Error(context.TODO()).Err(err).Msg("internal/httputil: shutdown failed")
+		log.Error().Err(err).Msg("internal/httputil: shutdown failed")
 	}
 }
--- a/internal/log/log.go
+++ b/internal/log/log.go
@ -113,8 +113,8 @@ func Warn(ctx context.Context) *zerolog.Event {
 // Error starts a new message with error level.
 //
 // You must call Msg on the returned event in order to send the event.
-func Error(ctx context.Context) *zerolog.Event {
+func Error() *zerolog.Event {
-	return contextLogger(ctx).Error()
+	return log.Error()
 }
 func contextLogger(ctx context.Context) *zerolog.Logger {
--- a/internal/log/log_test.go
+++ b/internal/log/log_test.go
@ -88,7 +88,7 @@ func ExampleInfo() {
 // Example of a log at a particular "level" (in this case, "error")
 func ExampleError() {
 	captureOutput(func() {
-		log.Error(context.Background()).Msg("hello world")
+		log.Error().Msg("hello world")
 	})
 	// Output: {"level":"error","time":"2008-01-08T17:05:05Z","message":"hello world"}
 }
@ -146,7 +146,7 @@ func ExampleSetLevel() {
 		log.Debug(context.Background()).Msg("Debug")
 		log.Info(context.Background()).Msg("Debug or Info")
 		log.Warn(context.Background()).Msg("Debug or Info or Warn")
-		log.Error(context.Background()).Msg("Debug or Info or Warn or Error")
+		log.Error().Msg("Debug or Info or Warn or Error")
 		log.SetLevel(zerolog.DebugLevel)
 		log.Debug(context.Background()).Msg("Debug")
 	})
@ -167,9 +167,9 @@ func ExampleContext() {
 			return c.Str("param_two", "two")
 		})
-		log.Error(bg).Str("non_context_param", "value").Msg("background")
+		log.Ctx(bg).Error().Str("non_context_param", "value").Msg("background")
-		log.Error(ctx1).Str("non_context_param", "value").Msg("first")
+		log.Ctx(ctx1).Error().Str("non_context_param", "value").Msg("first")
-		log.Error(ctx2).Str("non_context_param", "value").Msg("second")
+		log.Ctx(ctx2).Error().Str("non_context_param", "value").Msg("second")
 		for i := 0; i < 10; i++ {
 			ctx1 = log.WithContext(ctx1, func(c zerolog.Context) zerolog.Context {
--- a/internal/middleware/recovery.go
+++ b/internal/middleware/recovery.go
@ -11,7 +11,7 @@ func Recovery(next http.Handler) http.Handler {
 	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		defer func() {
 			if err := recover(); err != nil {
-				log.Error(r.Context()).Interface("error", err).Msg("middleware: panic while serving http")
+				log.Ctx(r.Context()).Error().Interface("error", err).Msg("middleware: panic while serving http")
 			}
 		}()
 		next.ServeHTTP(w, r)
--- a/internal/registry/reporter.go
+++ b/internal/registry/reporter.go
@ -38,12 +38,12 @@ func (r *Reporter) OnConfigChange(ctx context.Context, cfg *config.Config) {
 	services, err := getReportedServices(cfg)
 	if err != nil {
-		log.Error(ctx).Err(err).Msg("metrics announce to service registry is disabled")
+		log.Ctx(ctx).Error().Err(err).Msg("metrics announce to service registry is disabled")
 	}
 	sharedKey, err := cfg.Options.GetSharedKey()
 	if err != nil {
-		log.Error(ctx).Err(err).Msg("decoding shared key")
+		log.Ctx(ctx).Error().Err(err).Msg("decoding shared key")
 		return
 	}
@ -54,7 +54,7 @@ func (r *Reporter) OnConfigChange(ctx context.Context, cfg *config.Config) {
 		SignedJWTKey:   sharedKey,
 	})
 	if err != nil {
-		log.Error(ctx).Err(err).Msg("connecting to registry")
+		log.Ctx(ctx).Error().Err(err).Msg("connecting to registry")
 		return
 	}
--- a/internal/retry/backoff.go
+++ b/internal/retry/backoff.go
@ -32,7 +32,7 @@ func WithBackoff(ctx context.Context, name string, fn func(context.Context) erro
 		},
 		backoff.WithContext(b, ctx),
 		func(err error, next time.Duration) {
-			log.Error(ctx).Err(err).Str("service-name", name).Dur("next", next).Msg("retrying")
+			log.Ctx(ctx).Error().Err(err).Str("service-name", name).Dur("next", next).Msg("retrying")
 		},
 	)
 }
--- a/internal/telemetry/metrics/envoy.go
+++ b/internal/telemetry/metrics/envoy.go
@ -75,7 +75,7 @@ func RecordEnvoyOverloadActionState(ctx context.Context, tags EnvoyOverloadActio
 		EnvoyOverloadActionState.M(state),
 	)
 	if err != nil {
-		log.Error(ctx).Err(err).Msg("internal/telemetry/metrics: failed to record")
+		log.Ctx(ctx).Error().Err(err).Msg("internal/telemetry/metrics: failed to record")
 	}
 }
@ -87,7 +87,7 @@ func RecordEnvoyOverloadActionThreshold(ctx context.Context, actionName string,
 		EnvoyOverloadActionThreshold.M(threshold),
 	)
 	if err != nil {
-		log.Error(ctx).Err(err).Msg("internal/telemetry/metrics: failed to record")
+		log.Ctx(ctx).Error().Err(err).Msg("internal/telemetry/metrics: failed to record")
 	}
 }
@ -99,6 +99,6 @@ func RecordEnvoyCgroupMemorySaturation(ctx context.Context, cgroup string, perce
 		EnvoyCgroupMemorySaturation.M(percent),
 	)
 	if err != nil {
-		log.Error(ctx).Err(err).Msg("internal/telemetry/metrics: failed to record")
+		log.Ctx(ctx).Error().Err(err).Msg("internal/telemetry/metrics: failed to record")
 	}
 }
--- a/internal/telemetry/metrics/grpc.go
+++ b/internal/telemetry/metrics/grpc.go
@ -143,7 +143,7 @@ func GRPCClientInterceptor(service string) grpc.UnaryClientInterceptor {
 			tag.Upsert(TagKeyGRPCService, rpcService),
 		)
 		if tagErr != nil {
-			log.Error(ctx).Err(tagErr).Str("context", "GRPCClientInterceptor").Msg("telemetry/metrics: failed to create context")
+			log.Ctx(ctx).Error().Err(tagErr).Str("context", "GRPCClientInterceptor").Msg("telemetry/metrics: failed to create context")
 			return invoker(ctx, method, req, reply, cc, opts...)
 		}
@ -182,7 +182,7 @@ func (h *GRPCServerMetricsHandler) TagRPC(ctx context.Context, tagInfo *grpcstat
 		tag.Upsert(TagKeyGRPCService, rpcService),
 	)
 	if tagErr != nil {
-		log.Error(ctx).Err(tagErr).Str("context", "GRPCServerStatsHandler").Msg("telemetry/metrics: failed to create context")
+		log.Ctx(ctx).Error().Err(tagErr).Str("context", "GRPCServerStatsHandler").Msg("telemetry/metrics: failed to create context")
 		return ctx
 	}
--- a/internal/telemetry/metrics/http.go
+++ b/internal/telemetry/metrics/http.go
@ -120,7 +120,7 @@ func HTTPMetricsHandler(_ func() string, service string) func(next http.Handler)
 				tag.Upsert(TagKeyHTTPMethod, r.Method),
 			)
 			if tagErr != nil {
-				log.Error(ctx).Err(tagErr).Str("context", "HTTPMetricsHandler").Msg("telemetry/metrics: failed to create metrics tag")
+				log.Ctx(ctx).Error().Err(tagErr).Str("context", "HTTPMetricsHandler").Msg("telemetry/metrics: failed to create metrics tag")
 				next.ServeHTTP(w, r)
 				return
 			}
@ -147,7 +147,7 @@ func HTTPMetricsRoundTripper(_ func() string, service string) func(next http.Rou
 				tag.Upsert(TagKeyHTTPMethod, r.Method),
 			)
 			if tagErr != nil {
-				log.Error(ctx).Err(tagErr).Str("context", "HTTPMetricsRoundTripper").Msg("telemetry/metrics: failed to create metrics tag")
+				log.Ctx(ctx).Error().Err(tagErr).Str("context", "HTTPMetricsRoundTripper").Msg("telemetry/metrics: failed to create metrics tag")
 				return next.RoundTrip(r)
 			}
--- a/internal/telemetry/metrics/info.go
+++ b/internal/telemetry/metrics/info.go
@ -328,7 +328,7 @@ func SetDBConfigInfo(ctx context.Context, service, configID string, version uint
 		},
 		configDBVersion.M(int64(version)),
 	); err != nil {
-		log.Error(ctx).Err(err).Msg("telemetry/metrics: failed to record config version number")
+		log.Ctx(ctx).Error().Err(err).Msg("telemetry/metrics: failed to record config version number")
 	}
 	if err := stats.RecordWithTags(
@ -339,13 +339,13 @@ func SetDBConfigInfo(ctx context.Context, service, configID string, version uint
 		},
 		configDBErrors.M(errCount),
 	); err != nil {
-		log.Error(ctx).Err(err).Msg("telemetry/metrics: failed to record config error count")
+		log.Ctx(ctx).Error().Err(err).Msg("telemetry/metrics: failed to record config error count")
 	}
 }
 // SetDBConfigRejected records that a certain databroker config version has been rejected
 func SetDBConfigRejected(ctx context.Context, service, configID string, version uint64, err error) {
-	log.Error(ctx).Err(err).Msg("databroker: invalid config detected, ignoring")
+	log.Ctx(ctx).Error().Err(err).Msg("databroker: invalid config detected, ignoring")
 	SetDBConfigInfo(ctx, service, configID, version, -1)
 }
@ -361,7 +361,7 @@ func SetConfigInfo(ctx context.Context, service, configName string, checksum uin
 			[]tag.Mutator{serviceTag},
 			configLastReload.M(time.Now().Unix()),
 		); err != nil {
-			log.Error(ctx).Err(err).Msg("telemetry/metrics: failed to record config checksum timestamp")
+			log.Ctx(ctx).Error().Err(err).Msg("telemetry/metrics: failed to record config checksum timestamp")
 		}
 		if err := stats.RecordWithTags(
@ -369,7 +369,7 @@ func SetConfigInfo(ctx context.Context, service, configName string, checksum uin
 			[]tag.Mutator{serviceTag},
 			configLastReloadSuccess.M(1),
 		); err != nil {
-			log.Error(ctx).Err(err).Msg("telemetry/metrics: failed to record config reload")
+			log.Ctx(ctx).Error().Err(err).Msg("telemetry/metrics: failed to record config reload")
 		}
 	} else {
 		stats.Record(context.Background(), configLastReloadSuccess.M(0))
--- a/internal/telemetry/metrics/providers.go
+++ b/internal/telemetry/metrics/providers.go
@ -106,7 +106,7 @@ func newProxyMetricsHandler(exporter *ocprom.Exporter, endpoints []ScrapeEndpoin
 			scrapeEndpoints(endpoints, labels),
 			ocExport("pomerium", exporter, r, labels)),
 		); err != nil {
-			log.Error(ctx).Err(err).Msg("responding to metrics request")
+			log.Ctx(ctx).Error().Err(err).Msg("responding to metrics request")
 		}
 	}
 }
--- a/internal/telemetry/metrics/registry.go
+++ b/internal/telemetry/metrics/registry.go
@ -52,7 +52,7 @@ func (r *metricRegistry) init() {
 				),
 			)
 			if err != nil {
-				log.Error(ctx).Err(err).Msg("telemetry/metrics: failed to register build info metric")
+				log.Ctx(ctx).Error().Err(err).Msg("telemetry/metrics: failed to register build info metric")
 			}
 			r.configChecksum, err = r.registry.AddFloat64Gauge(metrics.ConfigChecksumDecimal,
@ -60,7 +60,7 @@ func (r *metricRegistry) init() {
 				metric.WithLabelKeys(metrics.ServiceLabel, metrics.ConfigLabel),
 			)
 			if err != nil {
-				log.Error(ctx).Err(err).Msg("telemetry/metrics: failed to register config checksum metric")
+				log.Ctx(ctx).Error().Err(err).Msg("telemetry/metrics: failed to register config checksum metric")
 			}
 			r.policyCount, err = r.registry.AddInt64DerivedGauge(metrics.PolicyCountTotal,
@ -68,12 +68,12 @@ func (r *metricRegistry) init() {
 				metric.WithLabelKeys(metrics.ServiceLabel),
 			)
 			if err != nil {
-				log.Error(ctx).Err(err).Msg("telemetry/metrics: failed to register policy count metric")
+				log.Ctx(ctx).Error().Err(err).Msg("telemetry/metrics: failed to register policy count metric")
 			}
 			err = registerAutocertMetrics(r.registry)
 			if err != nil {
-				log.Error(ctx).Err(err).Msg("telemetry/metrics: failed to register autocert metrics")
+				log.Ctx(ctx).Error().Err(err).Msg("telemetry/metrics: failed to register autocert metrics")
 			}
 		})
 }
@ -93,7 +93,7 @@ func (r *metricRegistry) setBuildInfo(service, hostname, envoyVersion string) {
 		metricdata.NewLabelValue(hostname),
 	)
 	if err != nil {
-		log.Error(context.TODO()).Err(err).Msg("telemetry/metrics: failed to get build info metric")
+		log.Error().Err(err).Msg("telemetry/metrics: failed to get build info metric")
 	}
 	// This sets our build_info metric to a constant 1 per
@ -107,7 +107,7 @@ func (r *metricRegistry) addPolicyCountCallback(service string, f func() int64)
 	}
 	err := r.policyCount.UpsertEntry(f, metricdata.NewLabelValue(service))
 	if err != nil {
-		log.Error(context.TODO()).Err(err).Msg("telemetry/metrics: failed to get policy count metric")
+		log.Error().Err(err).Msg("telemetry/metrics: failed to get policy count metric")
 	}
 }
@ -117,7 +117,7 @@ func (r *metricRegistry) setConfigChecksum(service string, configName string, ch
 	}
 	m, err := r.configChecksum.GetEntry(metricdata.NewLabelValue(service), metricdata.NewLabelValue(configName))
 	if err != nil {
-		log.Error(context.TODO()).Err(err).Msg("telemetry/metrics: failed to get config checksum metric")
+		log.Error().Err(err).Msg("telemetry/metrics: failed to get config checksum metric")
 	}
 	m.Set(float64(checksum))
 }
--- a/internal/telemetry/metrics/storage.go
+++ b/internal/telemetry/metrics/storage.go
@ -57,6 +57,6 @@ func RecordStorageOperation(ctx context.Context, tags *StorageOperationTags, dur
 		storageOperationDuration.M(duration.Milliseconds()),
 	)
 	if err != nil {
-		log.Error(ctx).Err(err).Msg("internal/telemetry/metrics: failed to record")
+		log.Ctx(ctx).Error().Err(err).Msg("internal/telemetry/metrics: failed to record")
 	}
 }
--- a/internal/tests/xdserr/cmd/main.go
+++ b/internal/tests/xdserr/cmd/main.go
@ -54,14 +54,14 @@ func main() {
 	toURL, err := url.Parse(*to)
 	if err != nil {
-		log.Error(ctx).Err(err).Msg(*to)
+		log.Ctx(ctx).Error().Err(err).Msg(*to)
 		return
 	}
 	eg, ctx := errgroup.WithContext(ctx)
 	conn, err := grpcConn(ctx, *addr, *key)
 	if err != nil {
-		log.Error(ctx).Err(err).Msg("databroker grpc conn")
+		log.Ctx(ctx).Error().Err(err).Msg("databroker grpc conn")
 		return
 	}
 	defer conn.Close()
@ -69,7 +69,7 @@ func main() {
 	if *to == "" {
 		*to, err = xdserr.RunEcho(ctx)
 		if err != nil {
-			log.Error(ctx).Err(err).Msg("echo server")
+			log.Ctx(ctx).Error().Err(err).Msg("echo server")
 			return
 		}
 	}
@ -84,7 +84,7 @@ func main() {
 		})
 	})
 	if err := eg.Wait(); err != nil {
-		log.Error(ctx).Err(err).Msg("altering config")
+		log.Ctx(ctx).Error().Err(err).Msg("altering config")
 	}
 }
--- a/internal/tests/xdserr/config.go
+++ b/internal/tests/xdserr/config.go
@ -52,7 +52,7 @@ func DumpConfig(ctx context.Context, adminURL string) (*adminv3.RoutesConfigDump
 	for i, data := range cfg.Configs {
 		a := new(anypb.Any)
 		if err = opts.Unmarshal(data, a); err != nil {
-			log.Error(ctx).Err(err).Int("config", i).
+			log.Ctx(ctx).Error().Err(err).Int("config", i).
 				// RawJSON("data", data).
 				Msg("decode")
 		} else {
--- a/internal/testutil/postgres.go
+++ b/internal/testutil/postgres.go
@ -35,7 +35,7 @@ func WithTestPostgres(handler func(dsn string) error) error {
 	if err := pool.Retry(func() error {
 		conn, err := pgx.Connect(ctx, dsn)
 		if err != nil {
-			log.Error(ctx).Err(err).Send()
+			log.Ctx(ctx).Error().Err(err).Send()
 			return err
 		}
 		_ = conn.Close(ctx)
--- a/internal/zero/telemetry/metrics_producer.go
+++ b/internal/zero/telemetry/metrics_producer.go
@ -35,7 +35,7 @@ func (p *metricsProducer[P]) Produce(ctx context.Context) ([]metricdata.ScopeMet
 	data, err := p.producer.Produce(ctx)
 	if err != nil {
 		// we do not return the error here, as we do not want to block the export of other metrics
-		log.Error(ctx).Err(err).Str("producer", p.name).Msg("failed to produce metrics")
+		log.Ctx(ctx).Error().Err(err).Str("producer", p.name).Msg("failed to produce metrics")
 		return nil, nil
 	}
 	return data, nil
--- a/internal/zero/telemetry/telemetry.go
+++ b/internal/zero/telemetry/telemetry.go
@ -95,7 +95,7 @@ func (srv *Telemetry) handleRequests(ctx context.Context) error {
 				select {
 				case requests <- req:
 				default:
-					log.Error(ctx).Msg("dropping telemetry request")
+					log.Ctx(ctx).Error().Msg("dropping telemetry request")
 				}
 			}))
 	})
--- a/pkg/cmd/pomerium/pomerium.go
+++ b/pkg/cmd/pomerium/pomerium.go
@ -78,7 +78,7 @@ func Run(ctx context.Context, src config.Source) error {
 	src.OnConfigChange(ctx,
 		func(ctx context.Context, cfg *config.Config) {
 			if err := controlPlane.OnConfigChange(ctx, cfg); err != nil {
-				log.Error(ctx).Err(err).Msg("config change")
+				log.Ctx(ctx).Error().Err(err).Msg("config change")
 			}
 		})
--- a/pkg/cryptutil/tls.go
+++ b/pkg/cryptutil/tls.go
@ -18,7 +18,7 @@ func GetCertPool(ca, caFile string) (*x509.CertPool, error) {
 	ctx := context.TODO()
 	rootCAs, err := x509.SystemCertPool()
 	if err != nil {
-		log.Error(ctx).Err(err).Msg("pkg/cryptutil: failed getting system cert pool making new one")
+		log.Ctx(ctx).Error().Err(err).Msg("pkg/cryptutil: failed getting system cert pool making new one")
 		rootCAs = x509.NewCertPool()
 	}
 	if ca == "" && caFile == "" {
--- a/pkg/envoy/envoy.go
+++ b/pkg/envoy/envoy.go
@ -82,7 +82,7 @@ func NewServer(ctx context.Context, src config.Source, builder *envoyconfig.Buil
 	if rm, err := NewSharedResourceMonitor(ctx, src, srv.wd); err == nil {
 		srv.resourceMonitor = rm
 	} else {
-		log.Error(ctx).Err(err).Str("service", "envoy").Msg("not starting resource monitor")
+		log.Ctx(ctx).Error().Err(err).Str("service", "envoy").Msg("not starting resource monitor")
 	}
 	src.OnConfigChange(ctx, srv.onConfigChange)
@ -107,7 +107,7 @@ func (srv *Server) Close() error {
 	if srv.cmd != nil && srv.cmd.Process != nil {
 		err = srv.cmd.Process.Kill()
 		if err != nil {
-			log.Error(context.TODO()).Err(err).Str("service", "envoy").Msg("envoy: failed to kill process on close")
+			log.Error().Err(err).Str("service", "envoy").Msg("envoy: failed to kill process on close")
 		}
 		srv.cmd = nil
 	}
@ -136,7 +136,7 @@ func (srv *Server) update(ctx context.Context, cfg *config.Config) {
 	log.Debug(ctx).Msg("envoy: starting envoy process")
 	if err := srv.run(ctx, cfg); err != nil {
-		log.Error(ctx).Err(err).Str("service", "envoy").Msg("envoy: failed to run envoy process")
+		log.Ctx(ctx).Error().Err(err).Str("service", "envoy").Msg("envoy: failed to run envoy process")
 		return
 	}
 }
@ -146,7 +146,7 @@ func (srv *Server) run(ctx context.Context, cfg *config.Config) error {
 	srv.monitorProcessCancel()
 	if err := srv.writeConfig(ctx, cfg); err != nil {
-		log.Error(ctx).Err(err).Str("service", "envoy").Msg("envoy: failed to write envoy config")
+		log.Ctx(ctx).Error().Err(err).Str("service", "envoy").Msg("envoy: failed to write envoy config")
 		return err
 	}
@ -196,7 +196,7 @@ func (srv *Server) run(ctx context.Context, cfg *config.Config) error {
 				if errors.Is(err, context.Canceled) {
 					log.Debug(ctx).Err(err).Str("service", "envoy").Msg("resource monitor stopped")
 				} else {
-					log.Error(ctx).Err(err).Str("service", "envoy").Msg("resource monitor exited with error")
+					log.Ctx(ctx).Error().Err(err).Str("service", "envoy").Msg("resource monitor exited with error")
 				}
 			}
 		}()
@ -261,7 +261,7 @@ func (srv *Server) handleLogs(ctx context.Context, rc io.ReadCloser) {
 			if errors.Is(err, io.EOF) || errors.Is(err, os.ErrClosed) {
 				break
 			}
-			log.Error(ctx).Err(err).Msg("failed to read log")
+			log.Ctx(ctx).Error().Err(err).Msg("failed to read log")
 			time.Sleep(bo.NextBackOff())
 			continue
 		}
--- a/pkg/envoy/envoy_linux.go
+++ b/pkg/envoy/envoy_linux.go
@ -32,7 +32,7 @@ var sysProcAttr = &syscall.SysProcAttr{
 func (srv *Server) runProcessCollector(ctx context.Context) {
 	pc := metrics.NewProcessCollector("envoy")
 	if err := view.Register(pc.Views()...); err != nil {
-		log.Error(ctx).Err(err).Msg("failed to register envoy process metric views")
+		log.Ctx(ctx).Error().Err(err).Msg("failed to register envoy process metric views")
 	}
 	defer view.Unregister(pc.Views()...)
@ -57,7 +57,7 @@ func (srv *Server) runProcessCollector(ctx context.Context) {
 		if pid > 0 {
 			err := pc.Measure(ctx, pid)
 			if err != nil {
-				log.Error(ctx).Err(err).Msg("failed to measure envoy process metrics")
+				log.Ctx(ctx).Error().Err(err).Msg("failed to measure envoy process metrics")
 			}
 		}
 	}
@ -69,7 +69,7 @@ func (srv *Server) prepareRunEnvoyCommand(ctx context.Context, sharedArgs []stri
 		log.Info(ctx).Msg("envoy: releasing envoy process for hot-reload")
 		err := srv.cmd.Process.Release()
 		if err != nil {
-			log.Error(ctx).Err(err).Str("service", "envoy").Msg("envoy: failed to release envoy process for hot-reload")
+			log.Ctx(ctx).Error().Err(err).Str("service", "envoy").Msg("envoy: failed to release envoy process for hot-reload")
 		}
 	}
--- a/pkg/envoy/resource_monitor_linux.go
+++ b/pkg/envoy/resource_monitor_linux.go
@ -329,7 +329,7 @@ LOOP:
 				if limit := limitWatcher.Value(); limit > 0 {
 					usage, err := s.driver.MemoryUsage(s.cgroup)
 					if err != nil {
-						log.Error(ctx).Err(err).Msg("failed to get memory saturation")
+						log.Ctx(ctx).Error().Err(err).Msg("failed to get memory saturation")
 						continue
 					}
 					saturation = max(0.0, min(1.0, float64(usage)/float64(limit)))
@ -342,7 +342,7 @@ LOOP:
 			if saturationStr != lastValue {
 				lastValue = saturationStr
 				if err := s.writeMetricFile(groupMemory, metricCgroupMemorySaturation, saturationStr, 0o644); err != nil {
-					log.Error(ctx).Err(err).Msg("failed to write metric file")
+					log.Ctx(ctx).Error().Err(err).Msg("failed to write metric file")
 				}
 				s.updateActionStates(ctx, saturation)
 				metrics.RecordEnvoyCgroupMemorySaturation(ctx, s.cgroup, saturation)
@ -726,7 +726,7 @@ func (w *memoryLimitWatcher) Watch(ctx context.Context) error {
 		for ctx.Err() == nil {
 			v, err := w.readValue()
 			if err != nil {
-				log.Error(ctx).Err(err).Msg("error reading memory limit")
+				log.Ctx(ctx).Error().Err(err).Msg("error reading memory limit")
 			} else if prev := w.value.Swap(v); prev != v {
 				log.Debug(ctx).
 					Uint64("prev", prev).
--- a/pkg/grpc/databroker/leaser.go
+++ b/pkg/grpc/databroker/leaser.go
@ -95,7 +95,7 @@ func (locker *Leaser) runOnce(ctx context.Context, resetBackoff func()) error {
 	if status.Code(err) == codes.AlreadyExists {
 		return nil
 	} else if err != nil {
-		log.Error(ctx).Err(err).Str("lease_name", locker.leaseName).Msg("leaser: error acquiring lease")
+		log.Ctx(ctx).Error().Err(err).Str("lease_name", locker.leaseName).Msg("leaser: error acquiring lease")
 		return retryableError{err}
 	}
 	resetBackoff()
@ -149,7 +149,7 @@ func (locker *Leaser) withLease(ctx context.Context, leaseID string) error {
 				// failed to renew lease
 				return nil
 			} else if err != nil {
-				log.Error(ctx).Err(err).Str("lease_name", locker.leaseName).Msg("leaser: error renewing lease")
+				log.Ctx(ctx).Error().Err(err).Str("lease_name", locker.leaseName).Msg("leaser: error renewing lease")
 				return retryableError{err}
 			}
 		}
--- a/pkg/grpc/databroker/syncer.go
+++ b/pkg/grpc/databroker/syncer.go
@ -117,7 +117,7 @@ func (syncer *Syncer) Run(ctx context.Context) error {
 		}
 		if err != nil {
-			log.Error(ctx).Err(err).Msg("sync")
+			log.Ctx(ctx).Error().Err(err).Msg("sync")
 			select {
 			case <-ctx.Done():
 				return ctx.Err()
@ -162,7 +162,7 @@ func (syncer *Syncer) sync(ctx context.Context) error {
 	for {
 		res, err := stream.Recv()
 		if status.Code(err) == codes.Aborted {
-			log.Error(ctx).Err(err).Msg("aborted sync due to mismatched server version")
+			log.Ctx(ctx).Error().Err(err).Msg("aborted sync due to mismatched server version")
 			// server version changed, so re-init
 			syncer.serverVersion = 0
 			return nil
--- a/pkg/grpc/health.go
+++ b/pkg/grpc/health.go
@ -28,6 +28,6 @@ func (h *healthCheckSrv) Check(ctx context.Context, req *grpc_health.HealthCheck
 // Watch is not implemented as is not used by Envoy
 func (h *healthCheckSrv) Watch(req *grpc_health.HealthCheckRequest, _ grpc_health.Health_WatchServer) error {
-	log.Error(context.Background()).Str("service", req.Service).Msg("health check watch")
+	log.Error().Str("service", req.Service).Msg("health check watch")
 	return status.Errorf(codes.Unimplemented, "method Watch not implemented")
 }
--- a/pkg/identity/legacymanager/manager.go
+++ b/pkg/identity/legacymanager/manager.go
@ -264,13 +264,13 @@ func (mgr *Manager) refreshSessionInternal(
 	metrics.RecordIdentityManagerSessionRefresh(ctx, err)
 	mgr.recordLastError(metrics_ids.IdentityManagerLastSessionRefreshError, err)
 	if isTemporaryError(err) {
-		log.Error(ctx).Err(err).
+		log.Ctx(ctx).Error().Err(err).
 			Str("user_id", s.GetUserId()).
 			Str("session_id", s.GetId()).
 			Msg("failed to refresh oauth2 token")
 		return true
 	} else if err != nil {
-		log.Error(ctx).Err(err).
+		log.Ctx(ctx).Error().Err(err).
 			Str("user_id", s.GetUserId()).
 			Str("session_id", s.GetId()).
 			Msg("failed to refresh oauth2 token, deleting session")
@ -283,13 +283,13 @@ func (mgr *Manager) refreshSessionInternal(
 	metrics.RecordIdentityManagerUserRefresh(ctx, err)
 	mgr.recordLastError(metrics_ids.IdentityManagerLastUserRefreshError, err)
 	if isTemporaryError(err) {
-		log.Error(ctx).Err(err).
+		log.Ctx(ctx).Error().Err(err).
 			Str("user_id", s.GetUserId()).
 			Str("session_id", s.GetId()).
 			Msg("failed to update user info")
 		return true
 	} else if err != nil {
-		log.Error(ctx).Err(err).
+		log.Ctx(ctx).Error().Err(err).
 			Str("user_id", s.GetUserId()).
 			Str("session_id", s.GetId()).
 			Msg("failed to update user info, deleting session")
@ -299,12 +299,12 @@ func (mgr *Manager) refreshSessionInternal(
 	fm, err := fieldmaskpb.New(s.Session, "oauth_token", "id_token", "claims")
 	if err != nil {
-		log.Error(ctx).Err(err).Msg("internal error")
+		log.Ctx(ctx).Error().Err(err).Msg("internal error")
 		return false
 	}
 	if _, err := session.Patch(ctx, mgr.cfg.Load().dataBrokerClient, s.Session, fm); err != nil {
-		log.Error(ctx).Err(err).
+		log.Ctx(ctx).Error().Err(err).
 			Str("user_id", s.GetUserId()).
 			Str("session_id", s.GetId()).
 			Msg("failed to update session")
@ -344,13 +344,13 @@ func (mgr *Manager) refreshUser(ctx context.Context, userID string) {
 		metrics.RecordIdentityManagerUserRefresh(ctx, err)
 		mgr.recordLastError(metrics_ids.IdentityManagerLastUserRefreshError, err)
 		if isTemporaryError(err) {
-			log.Error(ctx).Err(err).
+			log.Ctx(ctx).Error().Err(err).
 				Str("user_id", s.GetUserId()).
 				Str("session_id", s.GetId()).
 				Msg("failed to update user info")
 			return
 		} else if err != nil {
-			log.Error(ctx).Err(err).
+			log.Ctx(ctx).Error().Err(err).
 				Str("user_id", s.GetUserId()).
 				Str("session_id", s.GetId()).
 				Msg("failed to update user info, deleting session")
@ -360,7 +360,7 @@ func (mgr *Manager) refreshUser(ctx context.Context, userID string) {
 		res, err := databroker.Put(ctx, mgr.cfg.Load().dataBrokerClient, u.User)
 		if err != nil {
-			log.Error(ctx).Err(err).
+			log.Ctx(ctx).Error().Err(err).
 				Str("user_id", s.GetUserId()).
 				Str("session_id", s.GetId()).
 				Msg("failed to update user")
@ -378,7 +378,7 @@ func (mgr *Manager) onUpdateRecords(ctx context.Context, msg updateRecordsMessag
 			var pbSession session.Session
 			err := record.GetData().UnmarshalTo(&pbSession)
 			if err != nil {
-				log.Error(ctx).Msgf("error unmarshaling session: %s", err)
+				log.Ctx(ctx).Error().Msgf("error unmarshaling session: %s", err)
 				continue
 			}
 			mgr.onUpdateSession(record, &pbSession)
@ -386,7 +386,7 @@ func (mgr *Manager) onUpdateRecords(ctx context.Context, msg updateRecordsMessag
 			var pbUser user.User
 			err := record.GetData().UnmarshalTo(&pbUser)
 			if err != nil {
-				log.Error(ctx).Msgf("error unmarshaling user: %s", err)
+				log.Ctx(ctx).Error().Msgf("error unmarshaling user: %s", err)
 				continue
 			}
 			mgr.onUpdateUser(ctx, record, &pbUser)
@ -441,7 +441,7 @@ func (mgr *Manager) deleteSession(ctx context.Context, userID, sessionID string)
 	if status.Code(err) == codes.NotFound {
 		return
 	} else if err != nil {
-		log.Error(ctx).Err(err).
+		log.Ctx(ctx).Error().Err(err).
 			Str("session_id", sessionID).
 			Msg("failed to delete session")
 		return
@ -454,7 +454,7 @@ func (mgr *Manager) deleteSession(ctx context.Context, userID, sessionID string)
 		Records: []*databroker.Record{record},
 	})
 	if err != nil {
-		log.Error(ctx).Err(err).
+		log.Ctx(ctx).Error().Err(err).
 			Str("session_id", sessionID).
 			Msg("failed to delete session")
 		return
--- a/pkg/identity/manager/manager.go
+++ b/pkg/identity/manager/manager.go
@ -238,13 +238,13 @@ func (mgr *Manager) refreshSession(ctx context.Context, sessionID string) {
 	metrics.RecordIdentityManagerSessionRefresh(ctx, err)
 	mgr.recordLastError(metrics_ids.IdentityManagerLastSessionRefreshError, err)
 	if isTemporaryError(err) {
-		log.Error(ctx).Err(err).
+		log.Ctx(ctx).Error().Err(err).
 			Str("user_id", s.GetUserId()).
 			Str("session_id", s.GetId()).
 			Msg("failed to refresh oauth2 token")
 		return
 	} else if err != nil {
-		log.Error(ctx).Err(err).
+		log.Ctx(ctx).Error().Err(err).
 			Str("user_id", s.GetUserId()).
 			Str("session_id", s.GetId()).
 			Msg("failed to refresh oauth2 token, deleting session")
@ -257,13 +257,13 @@ func (mgr *Manager) refreshSession(ctx context.Context, sessionID string) {
 	metrics.RecordIdentityManagerUserRefresh(ctx, err)
 	mgr.recordLastError(metrics_ids.IdentityManagerLastUserRefreshError, err)
 	if isTemporaryError(err) {
-		log.Error(ctx).Err(err).
+		log.Ctx(ctx).Error().Err(err).
 			Str("user_id", s.GetUserId()).
 			Str("session_id", s.GetId()).
 			Msg("failed to update user info")
 		return
 	} else if err != nil {
-		log.Error(ctx).Err(err).
+		log.Ctx(ctx).Error().Err(err).
 			Str("user_id", s.GetUserId()).
 			Str("session_id", s.GetId()).
 			Msg("failed to update user info, deleting session")
@ -376,7 +376,7 @@ func (mgr *Manager) updateSession(ctx context.Context, s *session.Session) {
 	fm, err := fieldmaskpb.New(s, "oauth_token", "id_token", "claims")
 	if err != nil {
-		log.Error(ctx).Err(err).
+		log.Ctx(ctx).Error().Err(err).
 			Str("user_id", s.GetUserId()).
 			Str("session_id", s.GetId()).
 			Msg("failed to create fieldmask for session")
@ -385,7 +385,7 @@ func (mgr *Manager) updateSession(ctx context.Context, s *session.Session) {
 	_, err = session.Patch(ctx, mgr.cfg.Load().dataBrokerClient, s, fm)
 	if err != nil {
-		log.Error(ctx).Err(err).
+		log.Ctx(ctx).Error().Err(err).
 			Str("user_id", s.GetUserId()).
 			Str("session_id", s.GetId()).
 			Msg("failed to patch updated session record")
--- a/pkg/storage/postgres/backend.go
+++ b/pkg/storage/postgres/backend.go
@ -400,7 +400,7 @@ func (backend *Backend) doPeriodically(f func(ctx context.Context) error, dur ti
 			}
 		} else {
 			if !errors.Is(err, context.Canceled) {
-				log.Error(ctx).Err(err).Msg("storage/postgres")
+				log.Ctx(ctx).Error().Err(err).Msg("storage/postgres")
 			}
 			select {
 			case <-backend.closeCtx.Done():
--- a/pkg/storage/storage.go
+++ b/pkg/storage/storage.go
@ -57,7 +57,7 @@ func MatchAny(any *anypb.Any, query string) bool {
 	msg, err := any.UnmarshalNew()
 	if err != nil {
 		// ignore invalid any types
-		log.Error(context.TODO()).Err(err).Msg("storage: invalid any type")
+		log.Error().Err(err).Msg("storage: invalid any type")
 		return false
 	}
--- a/proxy/proxy.go
+++ b/proxy/proxy.go
@ -93,10 +93,10 @@ func (p *Proxy) OnConfigChange(_ context.Context, cfg *config.Config) {
 	p.currentOptions.Store(cfg.Options)
 	if err := p.setHandlers(cfg.Options); err != nil {
-		log.Error(context.TODO()).Err(err).Msg("proxy: failed to update proxy handlers from configuration settings")
+		log.Error().Err(err).Msg("proxy: failed to update proxy handlers from configuration settings")
 	}
 	if state, err := newProxyStateFromConfig(cfg); err != nil {
-		log.Error(context.TODO()).Err(err).Msg("proxy: failed to update proxy state from configuration settings")
+		log.Error().Err(err).Msg("proxy: failed to update proxy state from configuration settings")
 	} else {
 		p.state.Store(state)
 	}