diff --git a/core/cmd/dbg/BUILD.bazel b/core/cmd/dbg/BUILD.bazel
index 3ca06d0..563be82 100644
--- a/core/cmd/dbg/BUILD.bazel
+++ b/core/cmd/dbg/BUILD.bazel
@@ -6,6 +6,7 @@
     importpath = "git.monogon.dev/source/nexantic.git/core/cmd/dbg",
     visibility = ["//visibility:private"],
     deps = [
+        "//core/pkg/logtree:go_default_library",
         "//core/proto/api:go_default_library",
         "@com_github_spf13_pflag//:go_default_library",
         "@io_k8s_component_base//cli/flag:go_default_library",
diff --git a/core/cmd/dbg/main.go b/core/cmd/dbg/main.go
index f2d8fc0..176973f 100644
--- a/core/cmd/dbg/main.go
+++ b/core/cmd/dbg/main.go
@@ -20,12 +20,14 @@
 	"context"
 	"flag"
 	"fmt"
+	"io"
 	"io/ioutil"
 	"math/rand"
 	"os"
-	"strings"
 	"time"
 
+	"git.monogon.dev/source/nexantic.git/core/pkg/logtree"
+
 	"github.com/spf13/pflag"
 	"google.golang.org/grpc"
 	cliflag "k8s.io/component-base/cli/flag"
@@ -51,12 +53,14 @@
 	}
 
 	logsCmd := flag.NewFlagSet("logs", flag.ExitOnError)
-	logsTailN := logsCmd.Uint("tail", 0, "Get last n lines (0 = whole buffer)")
+	logsTailN := logsCmd.Int("tail", -1, "Get last n lines (-1 = whole buffer, 0 = disable)")
+	logsStream := logsCmd.Bool("follow", false, "Stream log entries live from the system")
+	logsRecursive := logsCmd.Bool("recursive", false, "Get entries from entire DN subtree")
 	logsCmd.Usage = func() {
-		fmt.Fprintf(os.Stderr, "Usage: %s %s [options] component_path\n", os.Args[0], os.Args[1])
+		fmt.Fprintf(os.Stderr, "Usage: %s %s [options] dn\n", os.Args[0], os.Args[1])
 		flag.PrintDefaults()
 
-		fmt.Fprintf(os.Stderr, "Example:\n  %s %s --tail 5 kube.apiserver\n", os.Args[0], os.Args[1])
+		fmt.Fprintf(os.Stderr, "Example:\n  %s %s --tail 5 --follow init\n", os.Args[0], os.Args[1])
 	}
 	goldenticketCmd := flag.NewFlagSet("goldenticket", flag.ExitOnError)
 	conditionCmd := flag.NewFlagSet("condition", flag.ExitOnError)
@@ -66,19 +70,60 @@
 
 		fmt.Fprintf(os.Stderr, "Example:\n  %s %s IPAssigned\n", os.Args[0], os.Args[1])
 	}
+
 	switch os.Args[1] {
 	case "logs":
 		logsCmd.Parse(os.Args[2:])
-		componentPath := strings.Split(logsCmd.Arg(0), ".")
-		res, err := debugClient.GetComponentLogs(ctx, &apb.GetComponentLogsRequest{ComponentPath: componentPath, TailLines: uint32(*logsTailN)})
+		dn := logsCmd.Arg(0)
+		req := &apb.GetLogsRequest{
+			Dn:          dn,
+			BacklogMode: apb.GetLogsRequest_BACKLOG_DISABLE,
+			StreamMode:  apb.GetLogsRequest_STREAM_DISABLE,
+			Filters:     nil,
+		}
+
+		switch *logsTailN {
+		case 0:
+		case -1:
+			req.BacklogMode = apb.GetLogsRequest_BACKLOG_ALL
+		default:
+			req.BacklogMode = apb.GetLogsRequest_BACKLOG_COUNT
+			req.BacklogCount = int64(*logsTailN)
+		}
+
+		if *logsStream {
+			req.StreamMode = apb.GetLogsRequest_STREAM_UNBUFFERED
+		}
+
+		if *logsRecursive {
+			req.Filters = append(req.Filters, &apb.LogFilter{
+				Filter: &apb.LogFilter_WithChildren_{WithChildren: &apb.LogFilter_WithChildren{}},
+			})
+		}
+
+		stream, err := debugClient.GetLogs(ctx, req)
 		if err != nil {
 			fmt.Fprintf(os.Stderr, "Failed to get logs: %v\n", err)
 			os.Exit(1)
 		}
-		for _, line := range res.Line {
-			fmt.Println(line)
+		for {
+			res, err := stream.Recv()
+			if err != nil {
+				if err == io.EOF {
+					os.Exit(0)
+				}
+				fmt.Fprintf(os.Stderr, "Failed to stream logs: %v\n", err)
+				os.Exit(1)
+			}
+			for _, entry := range res.BacklogEntries {
+				entry, err := logtree.LogEntryFromProto(entry)
+				if err != nil {
+					fmt.Printf("error decoding entry: %v", err)
+					continue
+				}
+				fmt.Println(entry.String())
+			}
 		}
-		return
 	case "goldenticket":
 		goldenticketCmd.Parse(os.Args[2:])
 		ip := goldenticketCmd.Arg(0)
diff --git a/core/cmd/init/debug_service.go b/core/cmd/init/debug_service.go
index faa0135..6cb9620 100644
--- a/core/cmd/init/debug_service.go
+++ b/core/cmd/init/debug_service.go
@@ -18,31 +18,226 @@
 
 import (
 	"context"
-
-	"git.monogon.dev/source/nexantic.git/core/internal/cluster"
-	"git.monogon.dev/source/nexantic.git/core/internal/containerd"
-	"git.monogon.dev/source/nexantic.git/core/internal/kubernetes"
-	apb "git.monogon.dev/source/nexantic.git/core/proto/api"
+	"crypto/x509"
+	"fmt"
+	"net"
 
 	"google.golang.org/grpc/codes"
 	"google.golang.org/grpc/status"
+
+	"git.monogon.dev/source/nexantic.git/core/internal/cluster"
+	"git.monogon.dev/source/nexantic.git/core/internal/common"
+	"git.monogon.dev/source/nexantic.git/core/internal/consensus/ca"
+	"git.monogon.dev/source/nexantic.git/core/internal/kubernetes"
+	"git.monogon.dev/source/nexantic.git/core/pkg/logtree"
+	apb "git.monogon.dev/source/nexantic.git/core/proto/api"
+)
+
+const (
+	logFilterMax = 1000
 )
 
 // debugService implements the Smalltown node debug API.
-// TODO(q3k): this should probably be implemented somewhere else way once we have a better
-// supervision introspection/status API.
 type debugService struct {
 	cluster    *cluster.Manager
 	kubernetes *kubernetes.Service
-	containerd *containerd.Service
+	logtree    *logtree.LogTree
+}
+
+func (s *debugService) GetGoldenTicket(ctx context.Context, req *apb.GetGoldenTicketRequest) (*apb.GetGoldenTicketResponse, error) {
+	ip := net.ParseIP(req.ExternalIp)
+	if ip == nil {
+		return nil, status.Errorf(codes.InvalidArgument, "could not parse IP %q", req.ExternalIp)
+	}
+	this := s.cluster.Node()
+
+	certRaw, key, err := s.nodeCertificate()
+	if err != nil {
+		return nil, status.Errorf(codes.Unavailable, "failed to generate node certificate: %v", err)
+	}
+	cert, err := x509.ParseCertificate(certRaw)
+	if err != nil {
+		panic(err)
+	}
+	kv := s.cluster.ConsensusKVRoot()
+	ca, err := ca.Load(ctx, kv)
+	if err != nil {
+		return nil, status.Errorf(codes.Unavailable, "could not load CA: %v", err)
+	}
+	etcdCert, etcdKey, err := ca.Issue(ctx, kv, cert.Subject.CommonName, ip)
+	if err != nil {
+		return nil, status.Errorf(codes.Unavailable, "could not generate etcd peer certificate: %v", err)
+	}
+	etcdCRL, err := ca.GetCurrentCRL(ctx, kv)
+	if err != nil {
+		return nil, status.Errorf(codes.Unavailable, "could not get etcd CRL: %v", err)
+	}
+
+	// Add new etcd member to etcd cluster.
+	etcd := s.cluster.ConsensusCluster()
+	etcdAddr := fmt.Sprintf("https://%s:%d", ip.String(), common.ConsensusPort)
+	_, err = etcd.MemberAddAsLearner(ctx, []string{etcdAddr})
+	if err != nil {
+		return nil, status.Errorf(codes.Unavailable, "could not add as new etcd consensus member: %v", err)
+	}
+
+	return &apb.GetGoldenTicketResponse{
+		Ticket: &apb.GoldenTicket{
+			EtcdCaCert:     ca.CACertRaw,
+			EtcdClientCert: etcdCert,
+			EtcdClientKey:  etcdKey,
+			EtcdCrl:        etcdCRL,
+			Peers: []*apb.GoldenTicket_EtcdPeer{
+				{Name: this.ID(), Address: this.Address().String()},
+			},
+			This: &apb.GoldenTicket_EtcdPeer{Name: cert.Subject.CommonName, Address: ip.String()},
+
+			NodeId:   cert.Subject.CommonName,
+			NodeCert: certRaw,
+			NodeKey:  key,
+		},
+	}, nil
 }
 
 func (s *debugService) GetDebugKubeconfig(ctx context.Context, req *apb.GetDebugKubeconfigRequest) (*apb.GetDebugKubeconfigResponse, error) {
 	return s.kubernetes.GetDebugKubeconfig(ctx, req)
 }
 
-// GetComponentLogs gets various logbuffers from binaries we call. This function just deals with the first path component,
-// delegating the rest to the service-specific handlers.
-func (s *debugService) GetComponentLogs(ctx context.Context, req *apb.GetComponentLogsRequest) (*apb.GetComponentLogsResponse, error) {
-	return nil, status.Error(codes.Unimplemented, "unimplemented")
+func (s *debugService) GetLogs(req *apb.GetLogsRequest, srv apb.NodeDebugService_GetLogsServer) error {
+	if len(req.Filters) > logFilterMax {
+		return status.Errorf(codes.InvalidArgument, "requested %d filters, maximum permitted is %d", len(req.Filters), logFilterMax)
+	}
+	dn := logtree.DN(req.Dn)
+	_, err := dn.Path()
+	switch err {
+	case nil:
+	case logtree.ErrInvalidDN:
+		return status.Errorf(codes.InvalidArgument, "invalid DN")
+	default:
+		return status.Errorf(codes.Unavailable, "could not parse DN: %v", err)
+	}
+
+	var options []logtree.LogReadOption
+
+	// Turn backlog mode into logtree option(s).
+	switch req.BacklogMode {
+	case apb.GetLogsRequest_BACKLOG_DISABLE:
+	case apb.GetLogsRequest_BACKLOG_ALL:
+		options = append(options, logtree.WithBacklog(logtree.BacklogAllAvailable))
+	case apb.GetLogsRequest_BACKLOG_COUNT:
+		count := int(req.BacklogCount)
+		if count <= 0 {
+			return status.Errorf(codes.InvalidArgument, "backlog_count must be > 0 if backlog_mode is BACKLOG_COUNT")
+		}
+		options = append(options, logtree.WithBacklog(count))
+	default:
+		return status.Errorf(codes.InvalidArgument, "unknown backlog_mode %d", req.BacklogMode)
+	}
+
+	// Turn stream mode into logtree option(s).
+	streamEnable := false
+	switch req.StreamMode {
+	case apb.GetLogsRequest_STREAM_DISABLE:
+	case apb.GetLogsRequest_STREAM_UNBUFFERED:
+		streamEnable = true
+		options = append(options, logtree.WithStream())
+	}
+
+	// Parse proto filters into logtree options.
+	for i, filter := range req.Filters {
+		switch inner := filter.Filter.(type) {
+		case *apb.LogFilter_WithChildren_:
+			options = append(options, logtree.WithChildren())
+		case *apb.LogFilter_OnlyRaw_:
+			options = append(options, logtree.OnlyRaw())
+		case *apb.LogFilter_OnlyLeveled_:
+			options = append(options, logtree.OnlyLeveled())
+		case *apb.LogFilter_LeveledWithMinimumSeverity_:
+			severity, err := logtree.SeverityFromProto(inner.LeveledWithMinimumSeverity.Minimum)
+			if err != nil {
+				return status.Errorf(codes.InvalidArgument, "filter %d has invalid severity: %v", i, err)
+			}
+			options = append(options, logtree.LeveledWithMinimumSeverity(severity))
+		}
+	}
+
+	reader, err := s.logtree.Read(logtree.DN(req.Dn), options...)
+	switch err {
+	case nil:
+	case logtree.ErrRawAndLeveled:
+		return status.Errorf(codes.InvalidArgument, "requested only raw and only leveled logs simultaneously")
+	default:
+		return status.Errorf(codes.Unavailable, "could not retrieve logs: %v", err)
+	}
+	defer reader.Close()
+
+	// Default protobuf message size limit is 64MB. We want to limit ourselves
+	// to 10MB.
+	// Currently each raw log line can be at most 1024 unicode codepoints (or
+	// 4096 bytes). To cover extra metadata and proto overhead, let's round
+	// this up to 4500 bytes. This in turn means we can store a maximum of
+	// (10e6/4500) == 2222 entries.
+	// Currently each leveled log line can also be at most 1024 unicode
+	// codepoints (or 4096 bytes). To cover extra metadata and proto overhead
+	// let's round this up to 2000 bytes. This in turn means we can store a
+	// maximum of (10e6/5000) == 2000 entries.
+	// The lowever of these numbers, ie the worst case scenario, is 2000
+	// maximum entries.
+	maxChunkSize := 2000
+
+	// Serve all backlog entries in chunks.
+	chunk := make([]*apb.LogEntry, 0, maxChunkSize)
+	for _, entry := range reader.Backlog {
+		p := entry.Proto()
+		if p == nil {
+			// TODO(q3k): log this once we have logtree/gRPC compatibility.
+			continue
+		}
+		chunk = append(chunk, p)
+
+		if len(chunk) >= maxChunkSize {
+			err := srv.Send(&apb.GetLogsResponse{
+				BacklogEntries: chunk,
+			})
+			if err != nil {
+				return err
+			}
+			chunk = make([]*apb.LogEntry, 0, maxChunkSize)
+		}
+	}
+
+	// Send last chunk of backlog, if present..
+	if len(chunk) > 0 {
+		err := srv.Send(&apb.GetLogsResponse{
+			BacklogEntries: chunk,
+		})
+		if err != nil {
+			return err
+		}
+		chunk = make([]*apb.LogEntry, 0, maxChunkSize)
+	}
+
+	// Start serving streaming data, if streaming has been requested.
+	if !streamEnable {
+		return nil
+	}
+
+	for {
+		entry, ok := <-reader.Stream
+		if !ok {
+			// Streaming has been ended by logtree - tell the client and return.
+			return status.Error(codes.Unavailable, "log streaming aborted by system")
+		}
+		p := entry.Proto()
+		if p == nil {
+			// TODO(q3k): log this once we have logtree/gRPC compatibility.
+			continue
+		}
+		err := srv.Send(&apb.GetLogsResponse{
+			StreamEntries: []*apb.LogEntry{p},
+		})
+		if err != nil {
+			return err
+		}
+	}
 }
diff --git a/core/cmd/init/main.go b/core/cmd/init/main.go
index 989f953..4ba991c 100644
--- a/core/cmd/init/main.go
+++ b/core/cmd/init/main.go
@@ -29,25 +29,20 @@
 	"os/signal"
 	"runtime/debug"
 
-	"git.monogon.dev/source/nexantic.git/core/pkg/logtree"
-
-	"git.monogon.dev/source/nexantic.git/core/internal/network/dns"
-
 	"golang.org/x/sys/unix"
 	"google.golang.org/grpc"
-	"google.golang.org/grpc/codes"
-	"google.golang.org/grpc/status"
 
 	"git.monogon.dev/source/nexantic.git/core/internal/cluster"
 	"git.monogon.dev/source/nexantic.git/core/internal/common"
 	"git.monogon.dev/source/nexantic.git/core/internal/common/supervisor"
-	"git.monogon.dev/source/nexantic.git/core/internal/consensus/ca"
 	"git.monogon.dev/source/nexantic.git/core/internal/containerd"
 	"git.monogon.dev/source/nexantic.git/core/internal/kubernetes"
 	"git.monogon.dev/source/nexantic.git/core/internal/kubernetes/pki"
 	"git.monogon.dev/source/nexantic.git/core/internal/localstorage"
 	"git.monogon.dev/source/nexantic.git/core/internal/localstorage/declarative"
 	"git.monogon.dev/source/nexantic.git/core/internal/network"
+	"git.monogon.dev/source/nexantic.git/core/internal/network/dns"
+	"git.monogon.dev/source/nexantic.git/core/pkg/logtree"
 	"git.monogon.dev/source/nexantic.git/core/pkg/tpm"
 	apb "git.monogon.dev/source/nexantic.git/core/proto/api"
 )
@@ -90,17 +85,7 @@
 	go func() {
 		for {
 			p := <-reader.Stream
-			if p.Leveled != nil {
-				// Use glog-like layout, but with supervisor DN instead of filename.
-				timestamp := p.Leveled.Timestamp()
-				_, month, day := timestamp.Date()
-				hour, minute, second := timestamp.Clock()
-				nsec := timestamp.Nanosecond() / 1000
-				fmt.Fprintf(os.Stderr, "%s%02d%02d %02d:%02d:%02d.%06d %s] %s\n", p.Leveled.Severity(), month, day, hour, minute, second, nsec, p.DN, p.Leveled.Message())
-			}
-			if p.Raw != nil {
-				fmt.Fprintf(os.Stderr, "%-32s R %s\n", p.DN, p.Raw)
-			}
+			fmt.Fprintf(os.Stderr, "%s\n", p.String())
 		}
 	}()
 
@@ -236,11 +221,9 @@
 		}
 
 		// Start the node debug service.
-		// TODO(q3k): this needs to be done in a smarter way once LogTree lands, and then a few things can be
-		// refactored to start this earlier, or this can be split up into a multiple gRPC service on a single listener.
 		dbg := &debugService{
 			cluster:    m,
-			containerd: containerdSvc,
+			logtree:    lt,
 			kubernetes: kubeSvc,
 		}
 		dbgSrv := grpc.NewServer()
@@ -336,58 +319,3 @@
 	}
 	return
 }
-
-func (s *debugService) GetGoldenTicket(ctx context.Context, req *apb.GetGoldenTicketRequest) (*apb.GetGoldenTicketResponse, error) {
-	ip := net.ParseIP(req.ExternalIp)
-	if ip == nil {
-		return nil, status.Errorf(codes.InvalidArgument, "could not parse IP %q", req.ExternalIp)
-	}
-	this := s.cluster.Node()
-
-	certRaw, key, err := s.nodeCertificate()
-	if err != nil {
-		return nil, status.Errorf(codes.Unavailable, "failed to generate node certificate: %v", err)
-	}
-	cert, err := x509.ParseCertificate(certRaw)
-	if err != nil {
-		panic(err)
-	}
-	kv := s.cluster.ConsensusKVRoot()
-	ca, err := ca.Load(ctx, kv)
-	if err != nil {
-		return nil, status.Errorf(codes.Unavailable, "could not load CA: %v", err)
-	}
-	etcdCert, etcdKey, err := ca.Issue(ctx, kv, cert.Subject.CommonName, ip)
-	if err != nil {
-		return nil, status.Errorf(codes.Unavailable, "could not generate etcd peer certificate: %v", err)
-	}
-	etcdCRL, err := ca.GetCurrentCRL(ctx, kv)
-	if err != nil {
-		return nil, status.Errorf(codes.Unavailable, "could not get etcd CRL: %v", err)
-	}
-
-	// Add new etcd member to etcd cluster.
-	etcd := s.cluster.ConsensusCluster()
-	etcdAddr := fmt.Sprintf("https://%s:%d", ip.String(), common.ConsensusPort)
-	_, err = etcd.MemberAddAsLearner(ctx, []string{etcdAddr})
-	if err != nil {
-		return nil, status.Errorf(codes.Unavailable, "could not add as new etcd consensus member: %v", err)
-	}
-
-	return &apb.GetGoldenTicketResponse{
-		Ticket: &apb.GoldenTicket{
-			EtcdCaCert:     ca.CACertRaw,
-			EtcdClientCert: etcdCert,
-			EtcdClientKey:  etcdKey,
-			EtcdCrl:        etcdCRL,
-			Peers: []*apb.GoldenTicket_EtcdPeer{
-				{Name: this.ID(), Address: this.Address().String()},
-			},
-			This: &apb.GoldenTicket_EtcdPeer{Name: cert.Subject.CommonName, Address: ip.String()},
-
-			NodeId:   cert.Subject.CommonName,
-			NodeCert: certRaw,
-			NodeKey:  key,
-		},
-	}, nil
-}