Re: Log4j Audit

Sure Ralph > On Oct 10, 2023, at 2:05 AM, Piotr P. Karwasz wrote: > > Hi all, > > Since Log4j Audit will not be archived, could someone update its > dependencies? Dependabot has lots of security alerts about it: > > https://github.com/apache/logging-log4j-audit/security/dependabot > >

Re: Log4j-audit release

IMO metrics and auditing don’t have a lot in common. That said, I do use the RequestContext to log elapsed time of every request. See the RequestContextFilter class. Ralph > On Jun 11, 2018, at 11:56 AM, Matt Sicker wrote: > > What about metrics gathering? Is that an orthogonal concern or

Re: Log4j-audit release

What about metrics gathering? Is that an orthogonal concern or can you make audit logs like that? On Mon, Jun 11, 2018 at 12:59, Ralph Goers wrote: > So for the use case you describe I would suggest you think about the > events that need to be audited and the data that is associated with those

Re: Log4j-audit release

So for the use case you describe I would suggest you think about the events that need to be audited and the data that is associated with those events. Then figure out which are request context items (for web apps there are a few that should be considered “universal" since every app on the

Re: Log4j-audit release

I think this is an observability related idea which is still rather new to many companies who are just finally embracing DevOps in the first place. I love the idea though! On Mon, Jun 11, 2018 at 10:32, Ralph Goers wrote: > Really? I would think almost everything would want to track who made

Re: Log4j-audit release

Really? I would think almost everything would want to track who made what change to the system. Ralph > On Jun 11, 2018, at 5:20 AM, Matt Sicker wrote: > > Ok, thanks for the clarification. It sounded far more advanced, and I’m > getting a better picture here. I’ve never worked in a domain

Re: Log4j-audit release

Ok, thanks for the clarification. It sounded far more advanced, and I’m getting a better picture here. I’ve never worked in a domain that requires auditing before. On Mon, Jun 11, 2018 at 08:03, Apache wrote: > No. It implements that feature through the request context but I wouldn’t > use a

Re: Log4j-audit release

No. It implements that feature through the request context but I wouldn’t use a catalog for simple trace logging. Ralph > On Jun 11, 2018, at 4:29 AM, Matt Sicker wrote: > > One thing I didn’t notice until now is that this is a superset of > distributed trace logging. Would you say that’s

Re: Log4j-audit release

One thing I didn’t notice until now is that this is a superset of distributed trace logging. Would you say that’s accurate? On Mon, Jun 11, 2018 at 00:54, Apache wrote: > One thing I forgot to mention. Although Log4J audit doesn’t make use of > the product or category the catalog’s usefulness

Re: Log4j-audit release

One thing I forgot to mention. Although Log4J audit doesn’t make use of the product or category the catalog’s usefulness really comes into play when you want to create a UI to query and display the audit events. In that case associating events with products and/or categories can be quite

Re: Log4j-audit release

Oh. You don’t have the maven plugin. Since it hasn’t been released yet you will have to build the Log4J audit project. Sent from my iPad > On Jun 10, 2018, at 12:23 AM, Remko Popma wrote: > > That is with > C:\Users\remko\IdeaProjects\logging-log4j-audit-sample>mvn --version > Apache Maven

Re: Log4j-audit release

Ok. I will take a look in the morning. Sent from my iPad > On Jun 10, 2018, at 12:23 AM, Remko Popma wrote: > > That is with > C:\Users\remko\IdeaProjects\logging-log4j-audit-sample>mvn --version > Apache Maven 3.5.2 (138edd61fd100ec658bfa2d307c43b76940a5d7d; > 2017-10-18T16:58:13+09:00) >

Re: Log4j-audit release

That is with C:\Users\remko\IdeaProjects\logging-log4j-audit-sample>mvn --version Apache Maven 3.5.2 (138edd61fd100ec658bfa2d307c43b76940a5d7d; 2017-10-18T16:58:13+09:00) Maven home: C:\apps\apache-maven-3.5.2\bin\.. Java version: 1.8.0_161, vendor: Oracle Corporation Java home:

Re: Log4j-audit release

getting this now [INFO] Reactor Summary: [INFO] [INFO] Audit Sample Parent SUCCESS [ 0.839 s] [INFO] audit-service-api .. FAILURE [ 0.006 s] [INFO] audit-service-war .. SKIPPED [INFO] audit-service

Re: Log4j-audit release

I finally have had time to take a breath and do something with this. I have tried to incorporate many of your comments in the documentation. I have updated my web site accordingly. Some comments are below. I really would like feedback on more than just the site as I need to release this. >

Re: Log4j-audit release

Thanks. I am so swamped at work right now I probably won’t get anything done with this for a week or so. Ralph > On May 10, 2018, at 7:46 AM, Remko Popma wrote: > > Ralph, the doc changes are improvements but not ground to veto a release. > I haven't actually tried it

Re: Log4j-audit release

Ralph, the doc changes are improvements but not ground to veto a release. I haven't actually tried it yet. On Wed, May 9, 2018 at 11:47 PM, Matt Sicker wrote: > I've never worked in a domain where audit logging is used, so I won't have > much feedback about that. I will,

Re: Log4j-audit release

I've never worked in a domain where audit logging is used, so I won't have much feedback about that. I will, however, provide a more thorough release review (similar to Incubator). On 9 May 2018 at 00:32, Ralph Goers wrote: > Thanks for this re-review. While I am

Re: Log4j-audit release

Thanks for this re-review. While I am going to go through this and make some changes, my basic question would be is if any of this would make you vote -1 on a release candidate? While I think the documentation should be good I don’t think it has to be perfect. Although I have been using it

Re: Log4j-audit release

I had time to look at this during the flight, here it is: index.html typo: Diagnostic logs are critical in aiding in maintaining the servicability -> critical in maintaining? Overall, the first three sections, "What is Audit Logging", What is the difference between audit logging and normal

Re: Log4j-audit release

I've been meaning to take a closer look at this. I'll review it over the next day or two. On 6 May 2018 at 16:26, Ralph Goers wrote: > I spoke too soon. I made a minor change to add a link to Apache events in > the site header. > > Ralph > > > On May 6, 2018, at 2:24

Re: Log4j-audit release

I spoke too soon. I made a minor change to add a link to Apache events in the site header. Ralph > On May 6, 2018, at 2:24 PM, Ralph Goers wrote: > > I don’t think anything has changed since I last published but I will rebuild > it and publish it again. > > Ralph

Re: Log4j-audit release

I don’t think anything has changed since I last published but I will rebuild it and publish it again. Ralph > On May 6, 2018, at 12:52 PM, Remko Popma wrote: > > I’ll be flying back to Tokyo tomorrow but I can take another look when I’m > back. Is there a recent

Re: Log4j-audit release

I’ll be flying back to Tokyo tomorrow but I can take another look when I’m back. Is there a recent snapshot of the site on your GitHub account? > On May 6, 2018, at 21:35, Ralph Goers wrote: > > I have finished everything I wanted to accomplish for the first

Re: Log4j Audit

Once again, thanks for the comments! In general you have most of the flow down, although I would do them in a different order. 1) Install the catalog editor (This is a one time activity) 2) Perform analysis. 3) Use the editor to create audit event and attribute definitions. 4) Publish those

Re: Log4j Audit

Ralph, very nice improvements! Especially the first page does a great job at explaining what audit logging is and why/when you would want to use it. The Getting Started page then does a tutorial-style deep dive into using Log4j Audit, but unfortunately gets a bit bogged down in setting up the

Re: Log4j Audit

Ok, I’ll try tonight if I can. > On Feb 12, 2018, at 9:31, Ralph Goers wrote: > > Remko, > > I believe I have addressed most of the feedback from these two emails, > although I haven’t figured out how the selected component stays highlighted > in the left hand

Re: Log4j Audit

Remko, I believe I have addressed most of the feedback from these two emails, although I haven’t figured out how the selected component stays highlighted in the left hand menu. I’d appreciate you and everyone else taking another look at https://rgoers.github.io/log4j-audit/index.html

Re: Log4j Audit

On 4 February 2018 at 23:35, Ralph Goers wrote: > Well I have good news and bad news. The bad news is that I forgot my wife > and I were having people over for the super bowl so I didn’t have as much > time as I had hoped and I wasn’t able to run the Log4j 2.11.0

Re: Log4j Audit

Chandra, Yes it is a new project. I’ve been working on it for quite some time. I developed something like it for my former employer many years ago and it was one of my primary motivations for starting Log4j 2. I am using this project at my current employer. A container is not required to

Re: Log4j Audit

Hi Remko, +1 for the top page feedback. This is the first time I’m looking at this (is this a new project under log4j?). Also, is a container (tomcat or others ) a requirement? if it is I do not see it in the requirements section. I assumed it was an api either using or built on top of log4j2

Re: Log4j Audit

Remko, Thanks for all the good feedback! That is exactly what I was looking for. I won’t answer the questions you posed here. Instead, I will try to correct the web site to see if it does the job. Ralph > On Feb 5, 2018, at 8:04 AM, Remko Popma wrote: > > About the

Re: Log4j Audit

About the web site, the project seems to have components, but the component links in the left-hand navigation menu are not very useful: If you click on "Audit API" for example, only some standard Maven-generated component links/pages are visible, no javadoc or sources in the Component Reports.

Re: Log4j-audit

Yup, it is needed in log4j-catalog-jpa to get javax.persistence. I probably don’t need it in the other modules (except for the wars). Ralph > On Sep 6, 2017, at 1:13 PM, Mikael Ståldal wrote: > > I see that several modules depends on javax:javaee-api. Is that necessary? It

Re: Log4j-audit

I see that several modules depends on javax:javaee-api. Is that necessary? It should only be necessary in log4j-catalog-jpa, right? I see that log4j-catalog-api and log4j-catalog-git depends on javax:javaee-api and on Spring Framework. It would be better if those modules didn't. On

Re: Log4j-audit

Thanks, I will look at JavaPoet and see if it makes things any simpler. Only the web app and rest service depend on Spring. At this point it is a requirement. What JavaEE stuff? The catalog-war project is a user interface for editing the catalog. When I start creating documents I will take

Re: Log4j-audit

I had a quick look. Some comments: * You might want to use the JavaPoet library to generate Java source code, it is Apache-licensed, available on Maven central and has no transitive dependencies: https://github.com/square/javapoet * Some users might not like to depend on Spring Framework. *