Log4j

Last updated • 9 min readFrom Wikipedia, The Free Encyclopedia

Apache Log4j
Developer(s) Apache Software Foundation
Initial releaseJanuary 8, 2001;23 years ago (2001-01-08) [1]
Stable release
2.24.1 [2]   OOjs UI icon edit-ltr-progressive.svg / 29 September 2024;23 days ago (29 September 2024) [3]
Repository github.com/apache/logging-log4j2
Written in Java
Operating system Cross-platform
Type Logging
License Apache License 2.0
Website logging.apache.org/log4j/2.x/

Apache Log4j is a Java-based logging utility originally written by Ceki Gülcü. It is part of the Apache Logging Services, a project of the Apache Software Foundation. Log4j is one of several Java logging frameworks.

Contents

Gülcü has since created SLF4J, Reload4j, [4] and Logback [5] [ better source needed ] which are alternatives to Log4j. [6]

The Apache Log4j team developed Log4j 2 [7] in response to the problems of Log4j 1.2, 1.3, java.util.logging and Logback, addressing issues which appeared in those frameworks. [8] In addition, Log4j 2 offered a plugin architecture which makes it more extensible than its predecessor. Log4j 2 is not backwards compatible with 1.x versions, [9] although an "adapter" is available. On August 5, 2015, the Apache Logging Services Project Management Committee announced that Log4j 1 had reached end of life and that users of Log4j 1 were advised to upgrade to Apache Log4j 2. [10] On January 12, 2022, a forked and renamed log4j version 1.2 was released by Ceki Gülcü as Reload4j version 1.2.18.0 with the aim of fixing the most urgent issues in log4j 1.2.17 that had accumulated since its release in 2013. [11]

On December 9, 2021, a zero-day vulnerability involving arbitrary code execution in Log4j 2 was published by the Alibaba Cloud Security Team and given the descriptor "Log4Shell". [12] It has been characterized by Tenable as "the single biggest, most critical vulnerability of the last decade". [13]

Apache Log4j 2

Apache Log4j 2 is the successor of Log4j 1 which was released as GA version in July 2015. The framework was rewritten from scratch and has been inspired by existing logging solutions, including Log4j 1 and java.util.logging. The main differences [14] [15] from Log4j 1 are:

One of the most recognized features of Log4j 2 is the performance of the "Asynchronous Loggers". [16] Log4j 2 makes use of the LMAX Disruptor. [17] The library reduces the need for kernel locking and increases the logging performance by a factor of 12. For example, in the same environment Log4j 2 can write more than 18,000,000 messages per second, whereas other frameworks like Logback and Log4j 1 just write < 2,000,000 messages per second.

Features

Log4j log levels

The following table defines the built-in log levels and messages in Log4j, in decreasing order of severity. The left column lists the log level designation in Log4j and the right column provides a brief description of each log level.

LevelDescription
OFFThe highest possible rank and is intended to turn off logging.
FATALSevere errors that cause premature termination. Expect these to be immediately visible on a status console.
ERROROther runtime errors or unexpected conditions. Expect these to be immediately visible on a status console.
WARNUse of deprecated APIs, poor use of API, 'almost' errors, other runtime situations that are undesirable or unexpected, but not necessarily "wrong". Expect these to be immediately visible on a status console.
INFOInteresting runtime events (startup/shutdown). Expect these to be immediately visible on a console, so be conservative and keep to a minimum.
DEBUGDetailed information on the flow through the system. Expect these to be written to logs only. Generally speaking, most lines logged by your application should be written as DEBUG.
TRACEMost detailed information. Expect these to be written to logs only. Since version 1.2.12. [18]

Custom log levels

Log4j 2 allows users to define their own log levels. [19] A source code generator tool is provided to create Loggers that support custom log levels identically to the built-in log levels. Custom log levels can either complement or replace the built-in log levels.

Log4j configuration

Log4j can be configured [20] through a configuration file or through Java code. Configuration files can be written in XML, JSON, YAML, or properties file format. Three main components can be defined: Loggers, Appenders, and Layouts. Configuring logging via a file has the advantage that logging can be turned on or off without modifying the application that uses Log4j. The application can be allowed to run with logging off until there's a problem, for example, and then logging can be turned back on simply by modifying the configuration file.

Loggers [21] are named log message destinations. They are the names that are known to the Java application. Each logger is independently configurable as to what level of logging (FATAL, ERROR, etc.) it currently logs. In early versions of Log4j, these were called category and priority, but now they're called logger and level, respectively. A Logger can send log messages to multiple Appenders.

The actual outputs are done by Appenders. [22] There are numerous Appenders available, with descriptive names, such as FileAppender, RollingFileAppender, ConsoleAppender, SocketAppender, SyslogAppender, and SMTPAppender. Log4j 2 added Appenders that write to Apache Flume, the Java Persistence API, Apache Kafka, NoSQL databases, Memory-mapped files, Random Access files [23] and ZeroMQ endpoints. Multiple Appenders can be attached to any Logger, so it's possible to log the same information to multiple outputs; for example to a file locally and to a socket listener on another computer.

Appenders use Layouts [24] to format log entries. A popular way to format one-line-at-a-time log files is PatternLayout, which uses a pattern string, much like the C / C++ function printf. There are also HTMLLayout and XMLLayout formatters for use when HTML or XML formats are more convenient, respectively. Log4j 2 added Layouts for CSV, Graylog Extended Log Format (GELF), [25] JSON, YAML and RFC-5424. [26]

In Log4j 2, Filters [27] can be defined on configuration elements to give more fine-grained control over which log entries should be processed by which Loggers and Appenders. In addition to filtering by log level and regular expression matching on the message string, Log4j 2 added burst filters, time filters, filtering by other log event attributes like Markers or Thread Context Map and JSR 223 script filters.

To debug a misbehaving configuration:

To find out where a log4j2.xml configuration file was loaded from inspect getClass().getResource("/log4j2.xml").

There is also an implicit "unconfigured" or "default" configuration of Log4j, that of a Log4j-instrumented Java application which lacks any Log4j configuration. This prints to stdout a warning that the program is unconfigured, and the URL to the Log4j web site where details on the warning and configuration may be found. As well as printing this warning, an unconfigured Log4j application will only print ERROR or FATAL log entries to standard out.

Example for Log4j 2

<?xml version="1.0" encoding="UTF-8"?><Configurationstatus="trace"monitorInterval="60"><Properties><Propertyname="filename">target/test.log</Property></Properties><Appenders><Consolename="STDOUT"><PatternLayoutpattern="%d %p %c{1.} [%t] %m%n"/></Console><Filename="file"fileName="${filename}"><PatternLayout><pattern>%d%p%c{1.}[%t]%m%n</pattern></PatternLayout></File></Appenders><Loggers><!--          loggers whose name starts with 'org.springframework' will only log messages of level "info" or higher;         if you retrieve Loggers by using the class name (e.g. Logger.getLogger(AClass.class))         and if AClass is part of the org.springframework package, it will belong to this category    --><Loggername="org.springframework"level="info"additivity="false"/><!--        Filter example: for loggers whose name starts with 'com.mycompany.myproduct',        log entries of level "debug" or higher whose ThreadContextMap data contains        the key-value pair "test=123", also send these log entries to the "STDOUT" appender.    --><Loggername="com.mycompany.myproduct"level="debug"additivity="true"><ThreadContextMapFilter><KeyValuePairkey="test"value="123"/></ThreadContextMapFilter><AppenderRefref="STDOUT"/></Logger><!--        By default, all log messages of level "trace" or higher will be logged.        Log messages are sent to the "file" appender and         log messages of level "error" and higher will be sent to the "STDOUT" appender.    --><Rootlevel="trace"><AppenderRefref="file"/><AppenderRefref="STDOUT"level="error"/></Root></Loggers></Configuration>

Example for Log4j 1.2

<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE log4j:configuration PUBLIC "-//LOGGER" "http://logging.apache.org/log4j/1.2/apidocs/org/apache/log4j/xml/doc-files/log4j.dtd"><log4j:configuration><!--          an appender is an output destination, such as the console or a file;         names of appenders are arbitrarily chosen.    --><appendername="stdout"class="org.apache.log4j.ConsoleAppender"><layoutclass="org.apache.log4j.PatternLayout"><paramname="ConversionPattern"value="%d{ABSOLUTE} %5p %c{1}:%L - %m%n"/></layout></appender><!--          loggers of category 'org.springframework' will only log messages of level "info" or higher;         if you retrieve Loggers by using the class name (e.g. Logger.getLogger(AClass.class))         and if AClass is part of the org.springframework package, it will belong to this category    --><loggername="org.springframework"><levelvalue="info"/></logger><!--          everything of spring was set to "info" but for class          PropertyEditorRegistrySupport we want "debug" logging     --><loggername="org.springframework.beans.PropertyEditorRegistrySupport"><levelvalue="debug"/></logger><loggername="org.acegisecurity"><levelvalue="info"/></logger><root><!--             all log messages of level "debug" or higher will be logged, unless defined otherwise             all log messages will be logged to the appender "stdout", unless defined otherwise         --><levelvalue="debug"/><appender-refref="stdout"/></root></log4j:configuration>

TTCC

TTCC is a message format used by log4j. [28] TTCC is an acronym for Time Thread Category Component. It uses the following pattern:

 %r [%t] %-5p %c %x - %m%n

Where

MnemonicDescription
%rUsed to output the number of milliseconds elapsed from the construction of the layout until the creation of the logging event.
%tUsed to output the name of the thread that generated the logging event.
%pUsed to output the priority of the logging event.
%cUsed to output the category of the logging event.
%xUsed to output the NDC (nested diagnostic context) associated with the thread that generated the logging event. [29]
%X{key}Used to output the MDC (mapped diagnostic context) associated with the thread that generated the logging event for specified key. [30]
%mUsed to output the application supplied message associated with the logging event.
%nUsed to output the platform-specific newline character or characters.

Example output
467 [main] INFO org.apache.log4j.examples.Sort – Exiting main method.

Ports

Log4Shell vulnerability

A zero-day vulnerability involving remote code execution in Log4j 2, given the descriptor "Log4Shell" (CVE-2021-44228), was found and reported to Apache by Alibaba on November 24, 2021, and published in a tweet on December 9, 2021. [12] Affected services include Cloudflare, iCloud, Minecraft: Java Edition , [42] Steam, Tencent QQ, and Twitter. [43] [44] [45] The Apache Software Foundation assigned the maximum CVSS severity rating of 10 to Log4Shell, as millions of servers could be potentially vulnerable to the exploit. [45] The vulnerability was characterized by cybersecurity firm Tenable as "the single biggest, most critical vulnerability of the last decade" [13] and Lunasec's Free Wortley characterized it as "a design failure of catastrophic proportions". [46]

In the United States, the director of the Cybersecurity and Infrastructure Security Agency (CISA), Jen Easterly, termed the exploit "critical" and advised vendors to prioritize software updates, [47] and the German agency Federal Office for Information Security (BSI) designated the exploit as being at its highest threat level, calling it an "extremely critical threat situation" (translated). [48] [49] The Canadian Centre for Cyber Security (CCCS) called on organisations to take on immediate action. [50]

The feature causing the vulnerability could be disabled with a configuration setting, which had been removed [51] in Log4j version 2.15.0-rc1 (officially released on December 6, 2021, three days before the vulnerability was published), and replaced by various settings restricting remote lookups, thereby mitigating the vulnerability. [52] [53] For additional security, all features using JNDI, on which this vulnerability was based, will be disabled by default, and support for message lookups removed from version 2.16.0 onward. [54] [55]

See also

Related Research Articles

<span class="mw-page-title-main">Apache SpamAssassin</span> Open-source e-mail spam filter

Apache SpamAssassin is a computer program used for e-mail spam filtering. It uses a variety of spam-detection techniques, including DNS and fuzzy checksum techniques, Bayesian filtering, external programs, blacklists and online databases. It is released under the Apache License 2.0 and is a part of the Apache Foundation since 2004.

JSON is an open standard file format and data interchange format that uses human-readable text to store and transmit data objects consisting of attribute–value pairs and arrays. It is a commonly used data format with diverse uses in electronic data interchange, including that of web applications with servers.

Apache Beehive is a discontinued Java Application Framework that was designed to simplify the development of Java EE-based applications. It makes use of various open-source projects at Apache, such as XMLBeans. Apache Beehive uses Java 5, including JSR-175, a facility for annotating fields, methods, and classes so that they can be treated in special ways by runtime tools. It builds on the framework developed for BEA Systems WebLogic Workshop for its 8.1 series. BEA later decided to donate the code to Apache.

<span class="mw-page-title-main">Apache Axis</span> Web service framework

Apache Axis is an open-source, XML based Web service framework. It consists of a Java and a C++ implementation of the SOAP server, and various utilities and APIs for generating and deploying Web service applications. Using Apache Axis, developers can create interoperable, distributed computing applications. Axis development takes place under the auspices of the Apache Software Foundation.

Apache Wicket, commonly referred to as Wicket, is a component-based web application framework for the Java programming language conceptually similar to JavaServer Faces and Tapestry. It was originally written by Jonathan Locke in April 2004. Version 1.0 was released in June 2005. It graduated into an Apache top-level project in June 2007.

<span class="mw-page-title-main">Apache Tapestry</span> Open-source web application framework

Apache Tapestry is an open-source component-oriented Java web application framework conceptually similar to JavaServer Faces and Apache Wicket. Tapestry was created by Howard Lewis Ship, and was adopted by the Apache Software Foundation as a top-level project in 2006.

XML Interface for Network Services (XINS) is an open-source technology for definition and implementation of internet applications, which enforces a specification-oriented approach.

A Java logging framework is a computer data logging package for the Java platform. This article covers general purpose logging frameworks.

The Spring Framework is an application framework and inversion of control container for the Java platform. The framework's core features can be used by any Java application, but there are extensions for building web applications on top of the Java EE platform. The framework does not impose any specific programming model.. The framework has become popular in the Java community as an addition to the Enterprise JavaBeans (EJB) model. The Spring Framework is free and open source software.

Apache Camel is an open source framework for message-oriented middleware with a rule-based routing and mediation engine that provides a Java object-based implementation of the Enterprise Integration Patterns using an application programming interface to configure routing and mediation rules.

Web2py is an open-source web application framework written in the Python programming language. Web2py allows web developers to program dynamic web content using Python. Web2py is designed to help reduce tedious web development tasks, such as developing web forms from scratch, although a web developer may build a form from scratch if required.

Apache Click is a page and component oriented web application framework for the Java language and is built on top of the Java Servlet API.

Simple Logging Facade for Java (SLF4J) provides a Java logging API by means of a simple facade pattern. The underlying logging backend is determined at runtime by adding the desired binding to the classpath and may be the standard Sun Java logging package java.util.logging, Log4j, Reload4j, Logback or tinylog.

<span class="mw-page-title-main">Spring Roo</span> Open-source software tool

Spring Roo is an open-source software tool that uses convention-over-configuration principles to provide rapid application development of Java-based enterprise software. The resulting applications use common Java technologies such as Spring Framework, Java Persistence API, Thymeleaf, Apache Maven and AspectJ. Spring Roo is a member of the Spring portfolio of projects.

Virgo is an open source, OSGi-based, Java application server. Virgo supports the deployment of OSGi bundles and unmodified Java web applications as well as OSGi-influenced Shared Libraries WARs and Shared Services WARs.

<span class="mw-page-title-main">OpenUI5</span> Open source toolkit by SAP for development of enterprise-ready web applications

OpenUI5 is a JavaScript application framework designed to build cross-platform, responsive, enterprise-ready applications. It is an open-source project maintained by SAP SE available under the Apache 2.0 license and open to contributions. OpenUI5's core is based on JavaScript, jQuery, and LESS. The library's feature set includes model–view–controller patterns, data binding, its own UI-element library, and internationalisation support.

Apache Commons Logging is a Java-based logging utility and a programming model for logging and for other toolkits. It provides APIs, log implementations, and wrapper implementations over some other tools.

Log4Shell (CVE-2021-44228) is a zero-day vulnerability reported in November 2021 in Log4j, a popular Java logging framework, involving arbitrary code execution. The vulnerability had existed unnoticed since 2013 and was privately disclosed to the Apache Software Foundation, of which Log4j is a project, by Chen Zhaojun of Alibaba Cloud's security team on 24 November 2021. Before an official CVE identifier was made available on 10 December 2021, the vulnerability circulated with the name "Log4Shell", given by Free Wortley of the LunaSec team, which was initially used to track the issue online. Apache gave Log4Shell a CVSS severity rating of 10, the highest available score. The exploit was simple to execute and is estimated to have had the potential to affect hundreds of millions of devices.

References

  1. "Apache Log4j 1.2 Release History". apache.org. Apache Software Foundation. Retrieved September 2, 2014.
  2. "Release 2.24.1". September 29, 2024. Retrieved October 22, 2024.
  3. "Release Notes - Log4j". logging.apache.org. Retrieved October 9, 2023.
  4. "Reload4j Home". reload4j.qos.ch. Retrieved January 12, 2022.
  5. "Logback Home". Logback.qos.ch. Retrieved July 24, 2014.
  6. Grigg, Kadi (February 4, 2022). "Wicked Good Development - Cybersecurity Experts Talk Log4J, Open Source and More". blog.sonatype.com. Retrieved August 16, 2022.
  7. "Log4j 2 Guide - Apache Log4j 2". Logging.apache.org. July 12, 2014. Retrieved July 24, 2014.
  8. Goers, Ralph (December 15, 2019). "Why was Log4j 2 created?". Ralph Goers.
  9. "Log4j 2 Guide - Apache Log4j 2: News". Logging.apache.org. July 12, 2014. Retrieved July 24, 2014.
  10. "Apache Logging Services Project Announces Log4j 1 End-Of-Life; Recommends Upgrade to Log4j 2". blogs.apache.org. August 5, 2015. Retrieved July 3, 2016.
  11. "Reload4j Project; Easy migration from log4j 1.2.x". qos.ch. January 12, 2022. Retrieved January 12, 2022.
  12. 1 2 "What's the Deal with the Log4Shell Security Nightmare?". Lawfare. December 10, 2021.
  13. 1 2 "Recently uncovered software flaw 'most critical vulnerability of the last decade'". the Guardian. Associated Press. December 11, 2021.
  14. "The new log4j 2.0". Grobmeier.de. December 5, 2012. Retrieved July 24, 2014.
  15. "Log4j – Overview - Apache Log4j 2". logging.apache.org. June 5, 2016. Retrieved July 3, 2016.
  16. "Log4j 2 Asynchronous Loggers for Low-Latency Logging - Apache Log4j 2". Logging.apache.org. July 12, 2014. Retrieved July 24, 2014.
  17. "Disruptor by LMAX-Exchange". Lmax-exchange.github.io. Retrieved July 24, 2014.
  18. "Level (Apache Log4j 1.2.17 API)". Logging.apache.org. June 9, 2012. Retrieved July 24, 2014.
  19. "Custom Log Levels". Logging.apache.org. July 12, 2014. Retrieved July 16, 2016.
  20. "Configuration". Logging.apache.org. July 5, 2016. Retrieved July 16, 2016.
  21. "Architecture". Logging.apache.org. July 5, 2016. Retrieved July 16, 2016.
  22. "Appenders". Logging.apache.org. July 5, 2016. Retrieved July 16, 2016.
  23. "RandomAccessFile". docs.oracle.com. July 28, 2011. Retrieved July 16, 2016.
  24. "Layouts". Logging.apache.org. July 5, 2016. Retrieved July 16, 2016.
  25. "GELF". docs.graylog.org. June 8, 2016. Archived from the original on February 9, 2020. Retrieved July 16, 2016.
  26. Gerhards, R. (March 1, 2009). "RFC 5424 - The Syslog Protocol". tools.ietf.org. doi:10.17487/RFC5424 . Retrieved July 16, 2016.{{cite journal}}: Cite journal requires |journal= (help)
  27. "Filters". Logging.apache.org. July 5, 2016. Retrieved July 16, 2016.
  28. "TTCCLayout (Apache Log4j 1.2.17 API)". Logging.apache.org. June 9, 2012. Retrieved July 24, 2014.
  29. "Class NDC". Archived from the original on August 20, 2007. Retrieved December 11, 2021.
  30. "MDC (Apache Log4j 1.2.17 API)". Logging.apache.org. June 9, 2012. Retrieved July 24, 2014.
  31. "Logging Framework for C | Free System Administration software downloads at". Sourceforge.net. Retrieved July 24, 2014.
  32. "stritti/Log4js - The Logging Framework for JavaScript with no runtime dependencies". GitHub. Retrieved December 11, 2021.
  33. "a JavaScript logging framework". log4javascript. Retrieved December 11, 2021.
  34. "Logging JavaScript errors to your server side log". JSNLog. Retrieved December 11, 2021.
  35. "Apache log4net". Logging.apache.org. Retrieved December 11, 2021.
  36. Schilli, Mike; Goess, Kevin. "log4perl - log4j for Perl". log4perl. Retrieved December 11, 2021.
  37. "Apache Logging Services". Apache.org. Retrieved March 11, 2015.
  38. "tmuth/Logger-A-PL-SQL-Logging-Utility — GitHub". Github.com. Retrieved July 24, 2014.
  39. "Log4db2 by angoca". Angoca.github.io. Retrieved July 24, 2014.
  40. "log4cxx - Changelog". logging.apache.org.
  41. "Log4r Manual". log4r.rubyforge.org. Archived from the original on December 25, 2012. Retrieved April 13, 2017.
  42. "Security Vulnerability in Minecraft: Java Edition". Minecraft . December 10, 2021.
  43. Goodin, Dan (December 9, 2021). "Zeroday in ubiquitous Log4j tool poses a grave threat to the Internet". Ars Technica . Retrieved December 10, 2021.
  44. "Worst Apache Log4j RCE Zero day Dropped on Internet". Cyber Kendra. December 9, 2021. Retrieved December 10, 2021.
  45. 1 2 Mott, Nathaniel (December 10, 2021). "Countless Servers Are Vulnerable to Apache Log4j Zero-Day Exploit". PC Magazine . Retrieved December 10, 2021.
  46. Newman, Lily Hay (December 10, 2021). "The Internet Is on Fire". Wired via www.wired.com.
  47. "Statement from CISA Director Easterly on "Log4j" Vulnerability". CISA. Washington. December 11, 2021.
  48. "BSI warnt vor Sicherheitslücke" [BSI warns of security vulnerabilities]. Tagesschau (in German). December 12, 2021.
  49. "Warnstufe Rot: Schwachstelle Log4Shell führt zu extrem kritischer Bedrohungslage" [Red alarm: Log4Shell vulnerability causes extremely critical threat situation]. BSI press service (in German). December 12, 2021.
  50. "Statement from the Minister of National Defence on Apache Vulnerability and Call to Canadian Organizations to Take Urgent Action". Government of Canada. December 12, 2021. Archived from the original on December 20, 2021. Retrieved December 12, 2021.
  51. "LOG4J2-3198: Log4j2 no longer formats lookups in messages by default". GitHub . December 5, 2021.
  52. "Restrict LDAP access via JNDI by rgoers · Pull Request #608 · apache/logging-log4j2". GitHub. 30 November–5 December 2021
  53. "Apache Log4j Security Vulnerabilities". December 6, 2021.
  54. "LOG4J2-3208: Disable JNDI by default". December 11, 2021. Retrieved December 14, 2021.
  55. "LOG4J2-3211: Remove support for Lookups in messages". December 13, 2021. Retrieved December 14, 2021.

Further reading