Conclusion: When a public monitoring run looks “off,” debug with evidence fields first. If you cannot explain the run with final URL, body size, timing, and sentinel status, your logs are missing the essentials.
Direct answer
Log a compact evidence record for every run: final URL, status code, total time, body byte size, and sentinel pass/fail for key blocks. Then separate integrity incidents from confirmed content changes.
Decision criteria
- Final URL: reveal routing drift, redirects, or canonical changes.
- Body byte size: detect incomplete payloads and unstable responses.
- Timing: differentiate slow origin vs. unstable network conditions.
- Sentinel status: confirm you fetched the usable page sections you need.

Related questions
- Should we keep full HTML logs? Only when debugging. Prefer evidence records plus minimal diffs.
- Do we need multiple samples? A small number of repeats helps confirm whether behavior is transient.
Common mistakes
- Logging only status code: it is not enough to explain incomplete payloads.
- Mixing incidents with changes: integrity incidents should not become “page updated” events.
FAQ
What is the fastest signal that something is wrong?
Body byte size falling outside its baseline band, especially when a key sentinel is missing.
How do we reduce false alarms without hiding real changes?
Gate change detection on integrity signals, and require consistency across repeated samples before escalating.