Hello,
It's not entirely clear to me if setting formatMsgNoLookups=true affects
only messages that are getting logged or does it affect appenders
declared using similar syntax.
Taking example from log4j appender documentation, will affect any $
entries declared here?
<RollingFile
name="Rolling-${mdc:UserId}"
fileName="${mdc:UserId}.log"
filePattern="${mdc:UserId}.%i.log.gz">
.....
I tried to lookup documentation of the variable, but unfortunately failed.
Regards,
Niranjan
On 12/10/21 2:08 AM, Ralph Goers wrote:
The Apache Log4j 2 team is pleased to announce the Log4j 2.15.0 release!
Apache Log4j is a well known framework for logging application behavior. Log4j 2 is an
upgrade to Log4j that provides significant improvements over its predecessor, Log4j 1.x,
and provides many other modern features such as support for Markers, lambda expressions
for lazy logging, property substitution using Lookups, multiple patterns on a
PatternLayout and asynchronous Loggers. Another notable Log4j 2 feature is the ability to
be "garbage-free" (avoid allocating temporary objects) while logging. In
addition, Log4j 2 will not lose events while reconfiguring.
The artifacts may be downloaded from https://logging.apache.org/log4j/2.x/download.html
<https://logging.apache.org/log4j/2.x/download.html>
<https://logging.apache.org/log4j/2.x/download.html
<https://logging.apache.org/log4j/2.x/download.html>>.
This release contains a number of bug fixes and minor enhancements which are
listed below.
The Log4j team has been made aware of a security vulnerability, CVE-2021-44228,
that has been addressed in Log4j 2.15.0.
Log4j’s JNDI support has not restricted what names could be resolved. Some
protocols are unsafe or can allow remote code execution. Log4j now limits the
protocols by default to only java, ldap, and ldaps and limits the ldap
protocols to only accessing Java primitive objects by default served on the
local host.
One vector that allowed exposure to this vulnerability was Log4j’s allowance of
Lookups to appear in log messages. As of Log4j 2.15.0 this feature is now
disabled by default. While an option has been provided to enable Lookups in
this fashion, users are strongly discouraged from enabling it.
Users who cannot upgrade to 2.15.0 can mitigate the exposure by:
a) Users of Log4j 2.10 or greater may add -Dlog4j.formatMsgNoLookups=true as a
command line option or add log4j.formatMsgNoLookups=true to a
log4j2.component.properties file on the classpath to prevent lookups in log
event messages.
b) Users since Log4j 2.7 may specify %m{nolookups} in the PatternLayout
configuration to prevent lookups in log event messages.
c) Remove the JndiLookup and JndiManager classes from the log4j-core jar.
Removal of the JndiManager will cause the JndiContextSelector and JMSAppender
to no longer function.
Due to a break in compatibility in the SLF4J binding, Log4j now ships with two versions of the SLF4J to Log4j
adapters. log4j-slf4j-impl should be used with SLF4J 1.7.x and earlier and log4j-slf4j18-impl should be used with
SLF4J 1.8.x and later. SLF4J-2.0.0 alpha releases are not fully supported. See
https://issues.apache.org/jira/browse/LOG4J2-2975 <https://issues.apache.org/jira/browse/LOG4J2-2975>
<https://issues.apache.org/jira/browse/LOG4J2-2975 <https://issues.apache.org/jira/browse/LOG4J2-2975>>
and https://jira.qos.ch/browse/SLF4J-511 <https://jira.qos.ch/browse/SLF4J-511>
<https://jira.qos.ch/browse/SLF4J-511 <https://jira.qos.ch/browse/SLF4J-511>>.
Some of the new features in Log4j 2.15.0 include:
• Support for Arbiters, which are conditionals that can enable sections
of the logging configuration for inclusion or exclusion. In particular,
SpringProfile, SystemProperty, Script, and Class Arbiters have been provided
that use the Spring profile, System property, the result of a script, or the
presence of a class respectively to determine whether a section of
configuration should be included.
• Support for Jakarta EE 9. This is functionally equivalent to Log4j's
log4j-web module but uses the Jakarta project.
• Various performance improvements.
Key changes to note:
• Prior to this release Log4j would automatically resolve Lookups
contained in the message or its parameters in the Pattern Layout. This behavior
is no longer the default and must be enabled by specifying %msg{lookup}.
• The JNDI Lookup has been restricted to only support the java, ldap,
and ldaps protocols by default. LDAP also no longer supports classes that
implement the Referenceable interface and restricts the Serializable classes to
the Java primative classes by default and requires an allow list to be
specified to access remote LDAP servers.
The Log4j 2.15.0 API, as well as many core components, maintains binary
compatibility with previous releases.
GA Release 2.15.0
Changes in this version include:
New Features
• LOG4J2-3198: Pattern layout no longer enables lookups within message
text by default for cleaner API boundaries and reduced formatting overhead. The
old 'log4j2.formatMsgNoLookups' which enabled this behavior has been removed as
well as the 'nolookups' message pattern converter option. The old behavior can
be enabled on a per-pattern basis using '%m{lookups}'.
• LOG4J2-3194: Allow fractional attributes for size attribute of
SizeBsaedTriggeringPolicy. Thanks to markuss.
• LOG4J2-2978: Add support for Jakarta EE 9 (Tomcat 10 / Jetty 11)
Thanks to Michael Seele.
• LOG4J2-3189: Improve NameAbbreviator worst-case performance.
• LOG4J2-3170: Make CRLF/HTML encoding run in O(n) worst-case time,
rather than O(n^2). Thanks to Gareth Smith.
• LOG4J2-3133: Add missing slf4j-api singleton accessors to
log4j-slf4j-impl (1.7) StaticMarkerBinder and StaticMDCBinder. This doesn't
impact behavior or correctness, but avoids throwing and catching
NoSuchMethodErrors when slf4j is initialized and avoids linkage linting
warnings.
• LOG4J2-2885: Add support for US-style date patterns and micro/nano
seconds to FixedDateTime. Thanks to Markus Spann.
• LOG4J2-3116: Add JsonTemplateLayout for Google Cloud Platform
structured logging layout.
• LOG4J2-3067: Add CounterResolver to JsonTemplateLayout.
• LOG4J2-3074: Add replacement parameter to ReadOnlyStringMapResolver.
• LOG4J2-3051: Add CaseConverterResolver to JsonTemplateLayout.
• LOG4J2-3064: Add Arbiters and SpringProfile plugin.
• LOG4J2-3056: Refactor MD5 usage for sharing sensitive information.
Thanks to Marcono1234.
• LOG4J2-3004: Add plugin support to JsonTemplateLayout.
• LOG4J2-3050: Allow AdditionalFields to be ignored if their value is
null or a zero-length String.
• LOG4J2-3049: Allow MapMessage and ThreadContext attributes to be
prefixed.
• LOG4J2=3048: Add improved MapMessge support to GelfLayout.
• LOG4J2-3044: Add RepeatPatternConverter.
• LOG4J2-2940: Context selectors are aware of their dependence upon the
callers ClassLoader, allowing basic context selectors to avoid the unnecessary
overhead of walking the stack to determine the caller's ClassLoader.
• LOG4J2-2940: Add BasicAsyncLoggerContextSelector equivalent to
AsyncLoggerContextSelector for applications with a single LoggerContext. This
selector avoids classloader lookup overhead incurred by the existing
AsyncLoggerContextSelector.
• LOG4J2-3041: Allow a PatternSelector to be specified on GelfLayout.
• LOG4J2-3141: Avoid ThreadLocal overhead in RandomAccessFileAppender,
RollingRandomAccessFileManager, and MemoryMappedFileManager due to the unused
setEndOfBatch and isEndOfBatch methods. The methods on LogEvent are preferred.
• LOG4J2-3144: Prefer string.getBytes(Charset) over
string.getBytes(String) based on performance improvements in modern Java
releases.
• LOG4J2-3171: Improve PatternLayout performance by reducing
unnecessary indirection and branching.
Fixed Bugs
• LOG4J2-3201: Limit the protocols JNDI can use by default. Limit the
servers and classes that can be accessed via LDAP.
• LOG4J2-3114: Enable immediate flush on RollingFileAppender when
buffered i/o is not enabled. Thanks to Barnabas Bodnar.
• LOG4J2-3168: Fix bug when file names contain regex characters. Thanks
to Benjamin Wöster.
• LOG4J2-3110: Fix the number of {}-placeholders in the string literal
argument does not match the number of other arguments to the logging call.
Thanks to Arturo Bernal.
• LOG4J2-3060: Fix thread-safety issues in DefaultErrorHandler. Thanks
to Nikita Mikhailov.
• LOG4J2-3185: Fix thread-safety issues in DefaultErrorHandler. Thanks
to mzbonnt.
• LOG4J2-3183: Avoid using MutableInstant of the event as a cache key
in JsonTemplateLayout.
• LOG4J2-2829: SocketAppender should propagate failures when
reconnection fails.
• LOG4J2-3172: Buffer immutable log events in the SmtpManager. Thanks
to Barry Fleming.
• LOG4J2-3175: Avoid KafkaManager override when topics differ. Thanks
to wuqian0808.
• LOG4J2-3160: Fix documentation on how to toggle log4j2.debug system
property. Thanks to Lars Bohl.
• LOG4J2-3159: Fixed an unlikely race condition in
Log4jMarker.getParents() volatile access.
• LOG4J2-3153: DatePatternConverter performance is not impacted by
microsecond-precision clocks when such precision isn't required.
• LOG4J2-2808: LoggerContext skips resolving localhost when hostName is
configured. Thanks to Asapha Halifa.
• LOG4J2-3150: RandomAccessFile appender uses the correct default
buffer size of 256 kB rather than the default appender buffer size of 8 kB.
• LOG4J2-3142: log4j-1.2-api implements LogEventAdapter.getTimestamp()
based on the original event timestamp instead of returning zero. Thanks to John
Meikle.
• LOG4J2-3083: log4j-slf4j-impl and log4j-slf4j18-impl correctly detect
the calling class using both LoggerFactory.getLogger methods as well as
LoggerFactory.getILoggerFactory().getLogger.
• LOG4J2-2816: Handle Disruptor event translation exceptions. Thanks to
Jacob Shields.
• LOG4J2-3121: log4j2 config modified at run-time may trigger
incomplete MBean re-initialization due to InstanceAlreadyExistsException.
Thanks to Markus Spann.
• LOG4J2-3107: SmtpManager.createManagerName ignores port. Thanks to
Markus Spann.
• LOG4J2-3080: Use SimpleMessage in Log4j 1 Category whenever possible.
• LOG4J2-3102: Fix a regression in 2.14.1 which allowed the
AsyncAppender background thread to keep the JVM alive because the daemon flag
was not set.
• LOG4J2-3103: Fix race condition which can result in
ConcurrentModificationException on context.stop. Thanks to Mike Glazer.
• LOG4J2-3092: Fix JsonWriter memory leaks due to retained excessive
buffer growth. Thanks to xmh51.
• LOG4J2-3089: Fix sporadic JsonTemplateLayoutNullEventDelimiterTest
failures on Windows. Thanks to Tim Perry.
• LOG4J2-3075: Fix formatting of nanoseconds in JsonTemplateLayout.
• LOG4J2-3087: Fix race in JsonTemplateLayout where a timestamp could
end up unquoted. Thanks to Anton Klarén.
• LOG4J2-3070: Ensure EncodingPatternConverter#handlesThrowable is
implemented. Thanks to Romain Manni-Bucau.
• LOG4J2-3054: BasicContextSelector hasContext and shutdown take the
default context into account
• LOG4J2-2940: Slf4j implementations walk the stack at most once rather
than twice to determine the caller's class loader.
• LOG4J2-2965: Fixed a deadlock between the AsyncLoggerContextSelector
and java.util.logging.LogManager by updating Disruptor to 3.4.4.
• LOG4J2-3095: Category.setLevel should accept null value. Thanks to
Kenny MacLeod, Gary Gregory.
• LOG4J2-3174: Wrong subject on mail when it depends on the LogEvent
Thanks to romainmoreau.
Changes
• : Update Spring framework to 5.3.13, Spring Boot to 2.5.7, and Spring
Cloud to 2020.0.4.
• LOG4J2-2025: Provide support for overriding the Tomcat Log class in
Tomcat 8.5+.
• : Updated dependencies.
- com.fasterxml.jackson.core:jackson-annotations ................. 2.12.2 ->
2.12.4
- com.fasterxml.jackson.core:jackson-core ........................ 2.12.2 ->
2.12.4
- com.fasterxml.jackson.core:jackson-databind .................... 2.12.2 ->
2.12.4
- com.fasterxml.jackson.dataformat:jackson-dataformat-xml ........ 2.12.2 ->
2.12.4
- com.fasterxml.jackson.dataformat:jackson-dataformat-yaml ....... 2.12.2 ->
2.12.4
- com.fasterxml.jackson.module:jackson-module-jaxb-annotations ... 2.12.2 ->
2.12.4
- com.fasterxml.woodstox:woodstox-core ........................... 6.2.4 ->
6.2.6
- commons-io:commons-io .......................................... 2.8.0 ->
2.11.0
- net.javacrumbs.json-unit:json-unit ............................. 2.24.0 ->
2.25.0
- net.javacrumbs.json-unit:json-unit ............................. 2.25.0 ->
2.27.0
- org.apache.activemq:activemq-broker ............................ 5.16.1 ->
5.16.2
- org.apache.activemq:activemq-broker ............................ 5.16.2 ->
5.16.3
- org.apache.commons:commons-compress ............................ 1.20 -> 1.21
- org.apache.commons:commons-csv ................................. 1.8 -> 1.9.0
- org.apache.commons:commons-dbcp2 ............................... 2.8.0 ->
2.9.0
- org.apache.commons:commons-pool2 ............................... 2.9.0 ->
2.11.1
- org.apache.maven.plugins:maven-failsafe-plugin ................. 2.22.2 ->
3.0.0-M5
- org.apache.maven.plugins:maven-surefire-plugin ................. 2.22.2 ->
3.0.0-M5
- org.apache.rat:apache-rat-plugin ............................... 0.12 -> 0.13
- org.assertj:assertj-core ....................................... 3.19.0 ->
3.20.2
- org.codehaus.groovy:groovy-dateutil ............................ 3.0.7 ->
3.0.8
- org.codehaus.groovy:groovy-jsr223 .............................. 3.0.7 ->
3.0.8
- org.codehaus.plexus:plexus-utils ............................... 3.3.0 ->
3.4.0
- org.eclipse.persistence:javax.persistence ...................... 2.1.1 ->
2.2.1
- org.eclipse.persistence:org.eclipse.persistence.jpa ............ 2.6.5 ->
2.6.9
- org.eclipse.persistence:org.eclipse.persistence.jpa ............ 2.7.8 ->
2.7.9
- org.fusesource.jansi ........................................... 2.3.2 ->
2.3.4
- org.fusesource.jansi:jansi ..................................... 2.3.1 ->
2.3.2
- org.hsqldb:hsqldb .............................................. 2.5.1 ->
2.5.2
- org.junit.jupiter:junit-jupiter-engine ......................... 5.7.1 ->
5.7.2
- org.junit.jupiter:junit-jupiter-migrationsupport ............... 5.7.1 ->
5.7.2
- org.junit.jupiter:junit-jupiter-params ......................... 5.7.1 ->
5.7.2
- org.junit.vintage:junit-vintage-engine ......................... 5.7.1 ->
5.7.2
- org.liquibase:liquibase-core ................................... 3.5.3 ->
3.5.5
- org.mockito:mockito-core ....................................... 3.8.0 ->
3.11.2
- org.mockito:mockito-junit-jupiter .............................. 3.8.0 ->
3.11.2
- org.springframework:spring-aop ................................. 5.3.3 ->
5.3.9
- org.springframework:spring-beans ............................... 5.3.3 ->
5.3.9
- org.springframework:spring-context ............................. 5.3.3 ->
5.3.9
- org.springframework:spring-context-support ..................... 5.3.3 ->
5.3.9
- org.springframework:spring-core ................................ 5.3.3 ->
5.3.9
- org.springframework:spring-expression .......................... 5.3.3 ->
5.3.9
- org.springframework:spring-oxm ................................. 5.3.3 ->
5.3.9
- org.springframework:spring-test ................................ 5.3.3 ->
5.3.9
- org.springframework:spring-web ................................. 5.3.3 ->
5.3.9
- org.springframework:spring-webmvc .............................. 5.3.3 ->
5.3.9
- org.tukaani:xz ................................................. 1.8 -> 1.9
Apache Log4j 2.15.0 requires a minimum of Java 8 to build and run. Log4j 2.12.1
is the last release to support Java 7. Java 7 is not longer supported by the
Log4j team.
For complete information on Apache Log4j 2, including instructions on how to
submit bug reports, patches, or suggestions for improvement, see the Apache
Apache Log4j 2 website:
---------------------------------------------------------------------
To unsubscribe, e-mail: log4j-user-unsubscr...@logging.apache.org
For additional commands, e-mail: log4j-user-h...@logging.apache.org
