I'm looking for more current recommendations on the JCL. I need to choose between using the JCL or just using straight Log4j. I can see the benefits of JCL, but articles such as http://www.qos.ch/logging/thinkAgain.jsp leave me a little unsettled. However, these articles are a bit old and a search of JCL bug fixes seems to indicate some of these issues may have been resolved. I am hoping for a more recent take on the issue. Any thoughts?
Well, this is not a direct answer to you, but I strongly recommend using Simple Logging Facade for Java (SLF4J) with Logback implementation. Logback project is meant to be a successor of Log4j project, and is built by the founder of Log4j and the author of the mentioned article.
SLF4j provides a clean interface to the various logging tools, with adaptors for legacy logging tools. This helpful when you rely on packages that rely on log4j and/or JDK logger.
A previous question discussed some of the reasons to use SLF4J project.
Check out Simple Logging Facade for Java (SLF4J). The article you referenced talks about the "classloader problem" and SLF4J is supposed to answer that.
Unless you need to support something older than java 1.4, consider just using java.util.logging. Standard is better than better, and this way you won't have any classloader problems at all.
Related
Whether Archimate tool : Archi is vulnerable to the log4j [CVE-2021-44228] impact? Is it using log4j first of all.
No, the Archi Java Archimate Modeller does not use log4j and is therefore also not vulnerable to this issue.
See the answers to the question in the Forum:
https://github.com/archimatetool/archi/issues/795#issuecomment-996478526
https://forum.archimatetool.com/index.php?topic=1155.msg6168#msg6168
You can also search the code and will not find anything.
https://github.com/archimatetool/archi/search?q=log4j
Maybe a naive question. but many projects still use Log4j 1.x
Is there no possibility to fix at least the CVE's in Log4j 1.x? It is clear that every project should switch to log4j2. But that doesn't change the fact that the smaller security leaks in Log4j 1.x are there, even if less critical.
It it possible that the community of Log4j maybe describes how to use Log4j 1.x to be more secure. e.g. not to use some of the appenders?
The development of log4j is volunteer based. There simply aren't enough volunteers to keep maintaining all legacy applications.
And even if there is some volunteer that patches log4j 1.2 (=latest), it is still a deprecated version that is not up-to-date in many other ways (has not been updated for 6 years). Everybody should really migrate to log4j2.
Read this blog post from Apache
I have implemented log4j in my project for logging but as we all know it is slower than slf4j. Thats why I want to upgrade to slf4j. How I can replace log4j with slf4j.
I have created my own framework where I implemented log4j in my whole project. But I want to replace that with slf4j but not able to find a proper method.
This answer is bit longer to post it as a comment, so posting it as an
answer.
Extending #sazzad answer, SLF4j is logging facade and it requires an underlying logging api such as log4j,log4j2, logback, commons-logging etc.
So which logging api you are planning to use?
If you are planning to use log4j itself as an underlying logging api, then you need to use slf4j-log4j12 jar in your application. (Make sure not to use both slf4j-log4j12 and log4j-over-slf4j at the same time as it causes an infinite loop) and that's it.
If you are planning to use other logging api such as logback, then you need to use log4j-over-slf4j jar and respective logging api bridge jar. See Slf4j Bridging legacy APIs
I am writing some codes which are supposed to run (as jar) on both flink and spark platforms. However, these two platforms use different log APIs. (flink uses log4j as logging framework, but slf4j as API) In this case, what is the best practice to log in the common codes ?
I tried with Log4j2 API in these common codes, but it cannot log anything in flink.
My idea now would be trying to get the logging context with log4j API from the slf4j context (which is already launched by flink), is that correct?
Thanks
Definitely a safe way to go would be to use SLF4J from a shared common library.
Since SLF4J is a logging facade, you don't have to force your users to use the same logging framework you're using in your library. See the user manual to this point:
Authors of widely-distributed components and libraries may code
against the SLF4J interface in order to avoid imposing an logging
framework on their end-user. Thus, the end-user may choose the desired
logging framework at deployment time by inserting the corresponding
slf4j binding on the classpath, which may be changed later by
replacing an existing binding with another on the class path and
restarting the application. This approach has proven to be simple and
very robust.
Hey I am new to Cassandra and I am friendly with Spring jdbc-template.
Can anyone please explain difference between both of them? Also can you suggest which one is good to use ?
thanks.
spring-data-cassandra uses datastax's java-driver, so the decision to be made is really whether or not you need the functionality of spring-data.
Some features from spring data that may be useful for you (documented here):
spring xml configuration for configuring your Cluster instance (especially useful if you are already using spring).
object mapping component.
The java-driver also has a mapping component as well that is worth exploring.
In my opinion if you are already using spring, it is worth looking into spring-data-cassandra. Otherwise, it would be good to start off with just the datastax java-driver.