ppkarwasz commented on PR #3880: URL: https://github.com/apache/logging-log4j2/pull/3880#issuecomment-3191767248
Hi @vy, > I think this is a good default. If you indeed want the other way around, it makes sense that you need to opt-in for extra configuration, which is `log4j2.discardThreshold` in this case. I agree: a default that discards **all** log events would be risky. While it technically still preserves `FATAL` events, those are rarely used in practice, especially since SLF4J doesn’t define a `FATAL` level. >> More controversially, I think that `asyncQueueFullPolicy` should default to `Discard` for basically the same reasons. One weird thing about this is that the blocking queue-full policy is literally named `DefaultAsyncQueueFullPolicy` and is denoted by the property value `Default`. =\ > > This is a valid remark. I'd support a PR > > 1. renaming the default from `Default` to `Discard`, and > 2. translating `Default` usages to `Discard` with a `WARN`'ing logged I’d be hesitant to change the default from blocking (`Default`) to `Discard`, as that seems contrary to the original motivation behind the Log4j 2 project as initiated by @rgoers. My understanding has always been that one of the main differentiators between Logback and Log4j Core is that Logback drops messages by default (e.g., `AsyncAppender` discards on a full queue or messages are lost during reconfiguration), while Log4j Core does not, even during reconfiguration. This “no events lost” behavior is explicitly part of our [new threat model](https://logging.apache.org/security.html#threat-common-threat), where we guarantee **reliability** out-of-the-box, while still allowing users to opt into more discard-friendly settings when resilience against DoS attacks is a priority. That said, I’m not opposed to: * Documenting different “profiles”: for example, an “audit mode” profile (fully reliable) and a “high-throughput” profile (discard under load), with the relevant configuration options spelled out. * Adding a `Block` synonym for `Default`, so users can more clearly express their intent without having to remember the historical naming. But I would avoid replacing `Default` with `Discard` as the actual default. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: notifications-unsubscr...@logging.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
