Pulling logs from every service into a single searchable system, the foundation of investigation-time observability.
Log aggregation is the practice of forwarding logs from every service (and every replica of every service) to a central searchable system, typically Splunk, Loki, Elasticsearch / OpenSearch, or a managed equivalent. The central system indexes them by service, severity, time, and structured fields, so an investigator can ask cross-service questions ('show me every 5xx in /checkout in the last hour, broken down by upstream') without SSHing into each box. Modern log aggregation is paired with structured logging (JSON, not plain text) so the queries can filter on real fields.
Logs that live on the box that produced them are useless during an incident, the box may already be terminated by autoscaling, and even if it isn't, you can't correlate across replicas. Aggregated, structured logs are the substrate for almost every other observability technique: alerting, anomaly detection, distributed tracing, post-mortem reconstruction.
See the part of the platform that handles log aggregation in production.