How To attach Logback to smartfox server - log4j

How do I attach logback to smartfox server?
smartfox uses log4j by default. How can I shift logging of my extensions/all of smartfox to logback?
I've tried this but this is failing with this error cause it has already boud to log4j I guess.

SmartFoxServer 2x uses Simple Logging Facade for Java (SLF4J) for logging. The very purpose of SLF4J is to provide a facade over the logging framework so the user can replace one logging framework with another. In your case log4J with Logback. I'll first explain how SLF4J works and how you can change one logging framework with another and briefly discuss some caveats. Then I'll cover some SmartFoxServer specifics.
Simple Logging Facade for Java Architecture
SLF4J provides API which serves as facade (abstraction layer) over the actual logging framework. This allows the user to easily switch between frameworks on deployment time without the need to change the code. But it also means that SLF4J on its own is not enough - the default implementation is no-op. In order to actually log anything you need actual logging framework (such as log4j or logback) and so called "binder" which servers as a bridge or adapter between SLF4J and the logging framework.
Swapping Logging Frameworks
The SLF4J User Manual provides detailed explanation on how you can swap one framework with another during deployment time. In short you just need to delete the old binder and logging framework and add the new binder and the new logging framework. To swap log4 with logback you need to delete slf4j-log4j12 and log4j jars and add logback-classic and logback-core.
Caveats
You should make sure that there is only one binder implementation in the classpath. Having more than one causes waring, not error. SLF4J would just pick one of the implementations. But I would not rule out the possibility for this to cause issues with more complex application (such as SmartFoxServer) that uses multiple class loaders. But more importantly you should make sure the SLF4J API, the binder and the logging framework versions are compatible. For example if you use old version of SLF4J with newer version of logback that may cause ClassNotFoundException. I suspect that this could be reason why you get the error you see.
Swapping lof4j with Logback as logging framework for SmartFoxServer 2x
SmartFoxServer 2x version 2.17.3 uses SLF4J API version 1.7.5. To swap log4j you need to first delete lib/slf4j-log4j12-1.7.5.jar and then add compatible version of logback-classic and logback-core jars. For example logback-classic 1.1.0 and logback-core 1.1.0.
You can delete lib/log4j-1.2.15.jar but I would rather keep it. The binder(lib/slf4j-log4j12-1.7.5.jar) is not meant to be used directly so it should be safe to be deleted. On other hand there are libraries that use log4j directly. I don't know if SmartFoxServer 2x uses any such library but it is safer to keep it just in case. Swapping the binder is enough for SLF4J to use Logback and ignore log4j.
Logger Output
SmartFoxServer 2x parses the logger output to provide some functionality such as the Admin Log Viewer. If you change the log output this may cause this functionality to stop working and maybe even cause other issues (on theory it should not, but you never know). There is configuration file (config/logParser.properties) that would allow you to configure the log parser, but I didn't found any documentation about it. You may try to ask on the SmartFoxServer forum. The developers are actually pretty active there so they may help.
Swapping loggers only for your extension
The instruction I gave swaps the logger for all extensions and SmartFoxServer. If you want you may try to swap them only for your extensions. But I'm not quite sure if and how that would work. Each class extension uses its own class loader but this provides isolation between extensions and SmartFoxServer and extensions, but not between extension and SmartFoxServer. What does this mean is that if you add lib.jar to Extension A classpath it would not be visible to Extension B or to SmartFoxServer code. But if you add lib.jar to the SmartFoxServer classpath it would be visible to both Extension A and Extension B. As SmartFoxServer already contains SLF4J API on its classpath you should not add it to your extension classpath. You can try to add logback-classic and logback-core to you extension classpath. But in this case you'll have two binder implementations in you extension classpath (logback and log4j from the SmartFoxServer classpath). As already discussed, I'm not quite sure how and if this would work.
Conclusion
SLF4J provides an easy way to swap logging frameworks, but there some caveats. And SmartFoxServer adds some caveats on its own. Unless SmartFoxServer team supports swapping of the underlaying logging framework (which judging by some anwers in their forum, they don't), I would be quite careful and do such swap only if there are some benefits and it is not just a matter of personal preference.

Related

Is it possible to configure log4j to use a proxy are part of its connections out to Splunk, Datadog, etc?

If log4j doesn't support this then is there some drop-in replacement for log4j that does? I've gone through the docs and lots of google searches, unfortunately all search results come up with "exploit" or "vulnerability" articles.
Splunk provides a splunk-library-javalogging that has appenders for both Log4j2 Core (the reference Log4j2 API implementation) and Logback (the reference SLF4J API implementation).
The appenders use OkHttp 3.x under the hood, so they will behave as all OkHttp-based components. Since splunk-library-javalogging does not set either a proxy nor a proxySelector explicitly (cf. source code), OkHttp falls back to the system wide ProxySelector.
Without any code modification on your part you can use the JVM-wide proxy settings as in this question.
Remark: if by log4j you are referring to Log4j 1.x, you need to replace the log4j:log4j artifact with either log4j-over-slf4j (which forwards to the SLF4J API) or log4j-1.2-api (which forwards to the Log4j2 API).

org.slf4j:log4j-over-slf4j:jar:1.7.21:compile vulnerability

We need to migrate to log4j 2.17 if we are using log4j jar, mvn dependency: tree showing only log4j-over-slf4j:jar. so I assume app is safe as it will redirect call to sl4j not to log4j.
Please confirm my app is safe with this jar without any remediation.?
In the SLF4J website, in the Comments on the log4shell(CVE-2021-44228) vulnerability they state that:
If you are using log4j-over-slf4j.jar in conjunction with the SLF4J API, you are safe unless the underlying implementation is log4j 2.x.
So it basically depends on how you're implementing the logs' generation. Slf4j natively uses logback. But to be sure, you can check your pom.xml and see if log4j is mentioned there.

Empty PropertyConfigurator implementation in log4j-1.2-api

I'm upgrading Log4j-1.2.17 to Log4j2-2.12.2 in my project.
To do that I'm using the log4j-1.2 bridge.
In old version I use property file to configure log4j.
After upgrade everything looks ok, no errors, no warnings. But logs don't appear in file pointed in properties file.
I realized that PropertyConfigurator.class exists in log4j-1.2-api.jar, but methods don't have implementation.
empty PropertyConfigurator.configure(Properties properties)
Can you explain me that?
Which configuration syntax is correct when I use log4j-1.2-api.jar? log4j or log4j2?
Prior to Log4j 2.13.0 log4j-1.2-api only provides compatibility for applications that used the log4j 1.x API for logging. The Log4j 2 configuration is still used as all logging calls are redirected to Log4j 2. So only the Log4j 2 configuration syntax would be valid.
Many of the old log4j 1.x internal classes are also present because many applications were using them in an attempt manually manipulate logging, much of which probably isn't necessary with Log4j 2.
In Log4j 2.13.0 the log4j-1.2-api was extended to provide experimental support for Log4j 1.x configuration files. You would have to compare your log4j 1 configurations with the documentation to determine if that support will work for you. However, the Log4j 1.x PropertyConfigurator still will be a no-op even with the compatibility support.

org.jxls seems to affect log4j

When I add org.jxls dependency to pom,it seems to affect log4j outputs.I set log4j log level "ERROR",but it outputs DEBUG infomation to console.But when I remove org.jxls,log4j works right.
Although Jxls-2 uses SLF4J as a logging facade it has a dependency to Logback because it uses some if its XML processing utilities.
If you do not use Logback but another logging framework (e.g. log4j) and configured SLF4J binding you can still end up with "Class path contains multiple SLF4J bindings" warning.
Currently there is a bug in Jxls-2 to remove the Logback dependency.
Until it is fixed you may need to have a logback.xml in your classpath.
Update
The issue is now resolved in JXLS v2.2.9 .
So now it should be possible to plugin any logging framework following the instructions in SLF4J manual

how to define multiple log4j configs with Jetty server in web.xml

Here's what I want to do:
- being able to have separated log4j.properties for each different deployment "war"
- being able to define in ant build, or web.xml, using system parameter on which log properties to use.
My project setup is Jetty with Jersey as REST API, without Spring.
I've done some research and it turns there are other Spring solutions to set in webl.xml but I'm not using spring.
I also know Jetty is using slf4j but if switching to slf4j, would I be able to do this more easily?
What would be a best way to solve this, so that in web.xml or ant build, log4j config can be customized defined?
Thanks a lot!
EDIT:
I figured that I can start another servlet with some init-param defined. Then on a separated HttpServlet implementation to set the PropertyConfigurator.configure([name of the log4j config]);
Is this adding one more servlet an ideally way of handling this?
Lots of different ways to handle this.
Since your mission is not different logging per Servlet, or per Webapp...I wouldn't solve the problem in the servlet or webapp locations but at the server level. To me, you want to log all this information to the correct place, not just all the information once the servlet has been deployed. To this end, I would enable the slf4j-api support in jetty and then look into the best way to handle that from the slf4j side of things. With that you can use whatever logging framework you want, slf4j-simple, log4j or logback..whatever you like.
Alternatively, if you really want to avoid the server side of logging, I supposed you could just use a log4j.properties file in the resources directory and then on jetty startup on the command line serve out a different resources directory. Figure out what options you want and startup with:
java -jar start.jar OPTIONS=Server,jmx,jsp,resources-[dev,qa,prod]
cheers

Resources