[英]Apache Log4j Security Vulnerabilities - 2.17.0 jar not load Lookup values into log4j2.xml
根據Apache Log4j 安全漏洞指南,我在我的應用程序中更新了 2.17.0 jar。
升級后日志文件未生成。
Spring version : 5.3.13
Log4j version : 2.17.0
java : 1.8
請參閱下面給出的 log4j2.xml
<?xml version="1.0" encoding="UTF-8"?>
<Configuration monitorInterval="1">
<Properties>
<Property name="log-path">${appconfig:log_path}</Property>
<Property name="log-name">${appconfig:filename}</Property>
<Property name="archive-days">${appconfig:archive_days}</Property>
<Property name="file-level">${appconfig:file_level}</Property>
<Property name="console-level">${appconfig:console_level}</Property>
</Properties>
<Appenders>
<Routing name="route-log">
<Routes pattern="${ctx:routingLogFile}">
<Route>
<RollingFile name="default-log" fileName="${log-path}/${log-name}.log"
filePattern="${log-path}/${date:yyyy-MM}/${log-name}.%d{MM-dd-yyyy}-%i.log.gz" append="true">
<PatternLayout
pattern="%d{MM/dd/yyyy HH:mm:ss.SSS z} %X{machine-name} %X{app-name} [%t] %-5level %logger{36}:%-3L - %msg%n" />
<Policies>
<TimeBasedTriggeringPolicy />
<SizeBasedTriggeringPolicy size="150 MB"/>
</Policies>
<DefaultRolloverStrategy max="1000">
<Delete basePath="${log-path}/" maxDepth="2">
<IfFileName glob="/${log-name}*.log.gz" />
<IfLastModified age="${archive-days}" />
</Delete>
</DefaultRolloverStrategy>
</RollingFile >
</Route>
</Routes>
</Routing>
<Console name="STDOUT" target="SYSTEM_OUT">
<PatternLayout pattern="%d{ISO8601} %-5level %30.30logger{1.}:%-3L - %m%n%throwable" />
</Console>
</Appenders>
<Loggers>
<Logger name="org.springframework" level="ERROR"/>
<Logger name="org.apache" level="ERROR"/>
<Root level="${file-level}" additivity="false">
<AppenderRef ref="route-log" />
<AppenderRef ref="STDOUT" />
</Root>
</Loggers>
</Configuration>
我正在使用下面給出的查找,以便從表中獲取日志文件名、日志文件路徑、日志級別、存檔天數。
import org.apache.logging.log4j.core.LogEvent;
import org.apache.logging.log4j.core.config.plugins.Plugin;
import org.apache.logging.log4j.core.lookup.AbstractLookup;
import org.apache.logging.log4j.core.lookup.StrLookup;
import org.appconfig.properties.ApplicationProperties;
import org.springframework.util.StringUtils;
@Plugin(name = "appconfig", category = StrLookup.CATEGORY)
public class AppLog4JConfigDatabaseLookup extends AbstractLookup {
public String lookup(final LogEvent event, final String key) {
if (key.equalsIgnoreCase("filename")) {
return ApplicationProperties.getLogFilename();
}
if (key.equalsIgnoreCase("log_path")) {
return ApplicationProperties.getLogPath();
}
if (key.equalsIgnoreCase("file_level")) {
return ApplicationProperties.getFileLogLevel();
}
if (key.equalsIgnoreCase("console_level")) {
return ApplicationProperties.getConsoleLogLevel();
}
if (key.equalsIgnoreCase("app_name")) {
return ApplicationProperties.getAppName();
}
if (key.equalsIgnoreCase("archive_days")) {
return ApplicationProperties.getLogArchiveDays();
}
return key;
}
}
請參閱以下服務 class。
public class LoaderJob extends SchedulerAdapterJob {
@Autowired
private FileLoaderJob fileLoaderJob;
private static final Logger LOGGER = LogManager.getLogger(LoaderJob.class);
@Override
public void executeJob(JobExecutionContext jobExecutionContext) {
ThreadContext.put("routingLogFile","LOADER_LOGS");
try {
fileLoaderJob.execute();
}
catch (Exception e) {
LOGGER.error("Exception in "+getJobName()+" : "+ e.getMessage());
throw e;
}
finally {
ThreadContext.remove("routingLogFile");
}
}
}
它在 2.16.0 中運行良好,在 2.17.0 中無法運行。 任何解決方案將不勝感激。
根據 Apache 指南,您應該在路由模式中添加兩個 $。 但是在您的 log4j2.xml 中只包含一個
請參考以下鏈接: https://logging.apache.org/log4j/log4j-2.2/faq.html
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.