Log4J2 Vulnerabilities
Açıklaması şöyle
Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4) are vulnerable to a remote code execution (RCE) attack where an attacker with permission to modify the logging configuration file can construct a malicious configuration using a JDBC Appender with a data source referencing a JNDI URI which can execute remote code. This issue is fixed by limiting JNDI data source names to the java protocol in Log4j2 versions 2.17.1, 2.12.4, and 2.3.2.
Açıklaması şöyle
Upgrade to Log4j 2.3.2 (for Java 6), 2.12.4 (for Java 7), or 2.17.1 (for Java 8 and later).
Maven
Log4J - Eski
Açıklaması şöyle. Yani 2012 yılından beri güncellenmiyor. Kullanmamak lazım
The reload4j project aims to fix the most urgent issues in log4j 1.2.17 which hasn't seen a new release since 2012. Note that on 2022-01-06 the Apache Logging PMC formally voted to reaffirm the EOL (End of Life) status of log4j 1.x. Despite our best efforts it was therefore impossible to revive the log4j 1.x project within the Apache Software Foundation.
Örnek
Şu satırı dahil ederiz
<dependency>
<groupId>log4j</groupId>
<artifactId>log4j</artifactId>
<version>1.2.17</version>
</dependency>
Log4J2
Örnek - BOM
Şu satırı dahil ederiz. log4j-api, log4j-core, log4j-layout-template-json, log4j-slf4j-impl gibi tüm kütüphaneleri getiriyor.<dependency>
<groupId>org.apache.logging.log4j</groupId>
<artifactId>log4j-bom</artifactId>
<version>2.20.0</version>
<scope>import</scope>
<type>pom</type>
</dependency>
Örnek
Şu satırı dahil ederiz. Api ve Implementation olarak iki kısma bölünmüş durumda<dependency>
<groupId>org.apache.logging.log4j</groupId>
<artifactId>log4j-api</artifactId>
<version>2.17.1</version>
</dependency>
<dependency>
<groupId>org.apache.logging.log4j</groupId>
<artifactId>log4j-core</artifactId>
<version>2.17.1</version>
</dependency>
LogManager ve Logger gibi sınıflar api jar'ının içinde. Aslında sadece log4j-core bağımlılığını eklemek yeterli. Açıklaması şöyleLog4j 2 can be thought of SLF4J with Logback. log4j-api is equivalent to SLF4J, and log4j-core is equivalent to Logback. So to use only Log4j 2, we can simply add log4j-core dependency and log4j-api is included in the log4j-core.Note: it will not work if you only include the log4j-api dependency without log4j-core in your project.
Gradle
Şöyle yaparız
implementation("org.apache.logging.log4j:log4j-core:2.17.1")
Ayar Dosyası
Log4j2 Ayar Dosyası yazısına taşıdım
Log4j ve SLF4J Bridge
Açıklaması şöyle
Log4j2 includes a log4j-to-slf4j bridge module. Any application coded against the Log4j2 API can choose to switch the backing implementation to any slf4j-compliant implementation at any time.
Eğer logback kullanmak istersek şunları dahil ederiz
og4j-api, log4j-to-slf4j, slf4j, logback
SLF4J To Log4J
Örnek
Şöyle yaparız
implementation("org.apache.logging.log4j:log4j-slf4j-impl:2.17.1") {
exclude("org.apache.logging.log4j", "log4j-api") // this line is optional
}
implementation("org.apache.logging.log4j:log4j-core:2.17.1")
log4j-slf4j-impl is a bridge module that allows you to use Log4j 2 as the underlying logging implementation for SLF4J. It depends on both slf4j-api and log4j-core, but it provides a simplified API for users who are already familiar with SLF4J and prefer to use it for logging. Since log4j-slf4j-impl also includes log4j-api and slf4j-api, so we don’t need to explicitly include slf4j-api.
Örnek
Şöyle yaparız
private static final Logger logger = LoggerFactory.getLogger(SLF4JExample.class);
public static void main(String[] args) {
logger.trace("This is a trace message.");
logger.debug("This is a debug message.");
logger.info("This is an info message.");
logger.warn("This is a warn message.");
logger.error("This is an error message.");
// logger.fatal("This is a fatal message"); // Cannot resolve method 'fatal' in 'Logger'
}
Appender Sınıfları
ConsoleAppender — writes the data to System.out or System.err with the default begin the first one (a Java best practice when logging in containers)FileAppender — appender that uses the FileManager to write the data to a defined fileRollingFileAppender — appender that writes data to a defined file and rolls over the file according to a defined policyMemoryMappedFileAppender — added in version 2.1, uses memory-mapped files and relies on the operating system virtual memory manager to synchronize the changes in the file with the storage deviceFlumeAppender — appender that writes data to Apache FlumeCassandraAppender — appender that writes data to Apache CassandraJDBCAppender — writes data to a database using standard JDBC driverHTTPAppender — writes data to a defined HTTP endpointKafkaAppender — writes data to Apache KafkaSyslogAppender — writes data to a Syslog-compatible destinationZeroMQAppender — writes data to ZeroMQAsyncAppender — encapsulates another appender and uses a different thread to write data, which results in asynchronous logging
LogManager Sınıfı
Şu satırı dahil ederiz.
Şu satırı dahil ederiz.
debug metodu
Şöyle yaparız.
Şöyle yaparız.
Şöyle yaparız.
Şöyle yaparız.
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
getLogger metodu
Şöyle yaparız.
private static final Logger logger = LogManager.getLogger(MyApplication.class);
Logger SınıfıŞu satırı dahil ederiz.
import org.apache.logging.log4j.Logger;
Seviyeler için açıklama şöyle
Log4j provides seven log levels: TRACE, DEBUG, INFO, WARN, ERROR, FATAL, and OFF in ascending order of severity. If the log level is set to OFF, logging is disabled.
Şöyle yaparız.
logger.debug("Skipping...");
fatal metoduŞöyle yaparız.
IOException e = ...
logger.fatal("Failed to perform operations ", e);
info metodu
Şöyle yaparız.
logger.info("Foo is at {}", foo);
warn metoduŞöyle yaparız.
InterruptedException e = ...;
logger.warn("Sleep interrupted", e);
Hiç yorum yok:
Yorum Gönder