If log4j doesn't support this then is there some drop-in replacement for log4j that does? I've gone through the docs and lots of google searches, unfortunately all search results come up with "exploit" or "vulnerability" articles.
Splunk provides a splunk-library-javalogging that has appenders for both Log4j2 Core (the reference Log4j2 API implementation) and Logback (the reference SLF4J API implementation).
The appenders use OkHttp 3.x under the hood, so they will behave as all OkHttp-based components. Since splunk-library-javalogging does not set either a proxy nor a proxySelector explicitly (cf. source code), OkHttp falls back to the system wide ProxySelector.
Without any code modification on your part you can use the JVM-wide proxy settings as in this question.
Remark: if by log4j you are referring to Log4j 1.x, you need to replace the log4j:log4j artifact with either log4j-over-slf4j (which forwards to the SLF4J API) or log4j-1.2-api (which forwards to the Log4j2 API).
Related
We need to migrate to log4j 2.17 if we are using log4j jar, mvn dependency: tree showing only log4j-over-slf4j:jar. so I assume app is safe as it will redirect call to sl4j not to log4j.
Please confirm my app is safe with this jar without any remediation.?
In the SLF4J website, in the Comments on the log4shell(CVE-2021-44228) vulnerability they state that:
If you are using log4j-over-slf4j.jar in conjunction with the SLF4J API, you are safe unless the underlying implementation is log4j 2.x.
So it basically depends on how you're implementing the logs' generation. Slf4j natively uses logback. But to be sure, you can check your pom.xml and see if log4j is mentioned there.
How do I attach logback to smartfox server?
smartfox uses log4j by default. How can I shift logging of my extensions/all of smartfox to logback?
I've tried this but this is failing with this error cause it has already boud to log4j I guess.
SmartFoxServer 2x uses Simple Logging Facade for Java (SLF4J) for logging. The very purpose of SLF4J is to provide a facade over the logging framework so the user can replace one logging framework with another. In your case log4J with Logback. I'll first explain how SLF4J works and how you can change one logging framework with another and briefly discuss some caveats. Then I'll cover some SmartFoxServer specifics.
Simple Logging Facade for Java Architecture
SLF4J provides API which serves as facade (abstraction layer) over the actual logging framework. This allows the user to easily switch between frameworks on deployment time without the need to change the code. But it also means that SLF4J on its own is not enough - the default implementation is no-op. In order to actually log anything you need actual logging framework (such as log4j or logback) and so called "binder" which servers as a bridge or adapter between SLF4J and the logging framework.
Swapping Logging Frameworks
The SLF4J User Manual provides detailed explanation on how you can swap one framework with another during deployment time. In short you just need to delete the old binder and logging framework and add the new binder and the new logging framework. To swap log4 with logback you need to delete slf4j-log4j12 and log4j jars and add logback-classic and logback-core.
Caveats
You should make sure that there is only one binder implementation in the classpath. Having more than one causes waring, not error. SLF4J would just pick one of the implementations. But I would not rule out the possibility for this to cause issues with more complex application (such as SmartFoxServer) that uses multiple class loaders. But more importantly you should make sure the SLF4J API, the binder and the logging framework versions are compatible. For example if you use old version of SLF4J with newer version of logback that may cause ClassNotFoundException. I suspect that this could be reason why you get the error you see.
Swapping lof4j with Logback as logging framework for SmartFoxServer 2x
SmartFoxServer 2x version 2.17.3 uses SLF4J API version 1.7.5. To swap log4j you need to first delete lib/slf4j-log4j12-1.7.5.jar and then add compatible version of logback-classic and logback-core jars. For example logback-classic 1.1.0 and logback-core 1.1.0.
You can delete lib/log4j-1.2.15.jar but I would rather keep it. The binder(lib/slf4j-log4j12-1.7.5.jar) is not meant to be used directly so it should be safe to be deleted. On other hand there are libraries that use log4j directly. I don't know if SmartFoxServer 2x uses any such library but it is safer to keep it just in case. Swapping the binder is enough for SLF4J to use Logback and ignore log4j.
Logger Output
SmartFoxServer 2x parses the logger output to provide some functionality such as the Admin Log Viewer. If you change the log output this may cause this functionality to stop working and maybe even cause other issues (on theory it should not, but you never know). There is configuration file (config/logParser.properties) that would allow you to configure the log parser, but I didn't found any documentation about it. You may try to ask on the SmartFoxServer forum. The developers are actually pretty active there so they may help.
Swapping loggers only for your extension
The instruction I gave swaps the logger for all extensions and SmartFoxServer. If you want you may try to swap them only for your extensions. But I'm not quite sure if and how that would work. Each class extension uses its own class loader but this provides isolation between extensions and SmartFoxServer and extensions, but not between extension and SmartFoxServer. What does this mean is that if you add lib.jar to Extension A classpath it would not be visible to Extension B or to SmartFoxServer code. But if you add lib.jar to the SmartFoxServer classpath it would be visible to both Extension A and Extension B. As SmartFoxServer already contains SLF4J API on its classpath you should not add it to your extension classpath. You can try to add logback-classic and logback-core to you extension classpath. But in this case you'll have two binder implementations in you extension classpath (logback and log4j from the SmartFoxServer classpath). As already discussed, I'm not quite sure how and if this would work.
Conclusion
SLF4J provides an easy way to swap logging frameworks, but there some caveats. And SmartFoxServer adds some caveats on its own. Unless SmartFoxServer team supports swapping of the underlaying logging framework (which judging by some anwers in their forum, they don't), I would be quite careful and do such swap only if there are some benefits and it is not just a matter of personal preference.
I'm upgrading Log4j-1.2.17 to Log4j2-2.12.2 in my project.
To do that I'm using the log4j-1.2 bridge.
In old version I use property file to configure log4j.
After upgrade everything looks ok, no errors, no warnings. But logs don't appear in file pointed in properties file.
I realized that PropertyConfigurator.class exists in log4j-1.2-api.jar, but methods don't have implementation.
empty PropertyConfigurator.configure(Properties properties)
Can you explain me that?
Which configuration syntax is correct when I use log4j-1.2-api.jar? log4j or log4j2?
Prior to Log4j 2.13.0 log4j-1.2-api only provides compatibility for applications that used the log4j 1.x API for logging. The Log4j 2 configuration is still used as all logging calls are redirected to Log4j 2. So only the Log4j 2 configuration syntax would be valid.
Many of the old log4j 1.x internal classes are also present because many applications were using them in an attempt manually manipulate logging, much of which probably isn't necessary with Log4j 2.
In Log4j 2.13.0 the log4j-1.2-api was extended to provide experimental support for Log4j 1.x configuration files. You would have to compare your log4j 1 configurations with the documentation to determine if that support will work for you. However, the Log4j 1.x PropertyConfigurator still will be a no-op even with the compatibility support.
When I add org.jxls dependency to pom,it seems to affect log4j outputs.I set log4j log level "ERROR",but it outputs DEBUG infomation to console.But when I remove org.jxls,log4j works right.
Although Jxls-2 uses SLF4J as a logging facade it has a dependency to Logback because it uses some if its XML processing utilities.
If you do not use Logback but another logging framework (e.g. log4j) and configured SLF4J binding you can still end up with "Class path contains multiple SLF4J bindings" warning.
Currently there is a bug in Jxls-2 to remove the Logback dependency.
Until it is fixed you may need to have a logback.xml in your classpath.
Update
The issue is now resolved in JXLS v2.2.9 .
So now it should be possible to plugin any logging framework following the instructions in SLF4J manual
I'm looking for a way to make log4net support zeroconf to publish logs to Apache Chainsaw (see here: Does log4net support zeroconf?). Apparently log4j can already do this using a ZeroConfSocketHubAppender.
Where might I be able to view the source for the java ZeroConfSocketHubAppender? I've looked both in the Apache Chainsaw and in the Log4j repositories but was unsuccessful.
ZeroConf is a log4j 'companion', but ZeroConfSocketHubAppender (and this companion) is no longer necessary due to the fact that most network-based appenders in log4j have ZeroConf support built-in as of log4j 1.2.16.
All you need to do to enable ZeroConf is add jmdns.jar to your classpath and set the 'advertiseViaMulticastDNS' param to 'true' in the appender configuration.
Here's the commit & log info describing the changes which improved ZeroConf support in the appenders (and receivers):
http://svn.apache.org/viewvc?view=revision&revision=924176
Here is a link to the ZeroConf page if you still want to use that
http://logging.apache.org/log4j/companions/zeroconf/source-repository.html
By the way, the svn HEAD revision of Chainsaw (which should be released soon) includes support for using the advertised ZeroConf appender information to automatically create receivers.