DESOSA 2022

Log4j2 - Product Vision & Problem Analysis

Figure: Apache Log4j2 Logo

Introduction

A log file is a collection of files used to record system operation events. It plays an important role in processing historical data, tracing problems, and understanding system activities. In software development, developers use a variety of logging frameworks to record the running information of the program. The presence or absence of logs does not affect the performance of the application, but an application without logs is incomplete because of its importance at all stages of development. It helps to locate problems faster during development and debugging. When the application is working, it can record abnormal information and monitor the system in real-time.

Log4j2 is one of the most popular logging tools available today. It is an open-source Java-based logging tool under the Apache Software Foundation. It was released in July 2014 to replace its predecessor, Log4j, which needed to be compatible with very old Java versions, making it difficult to maintain. As an improved version of Log4j, Log4j2 solves the Log4j problem of missing events with reconfiguration and can be used as an audit logging framework.1 In short, Log4j2 is a powerful, feature-rich logging tool.

Domain model

As a logging framework, Log4j2 aims to provide an easy-to-use and high-performance tool for developers. It helps developers to do some of the groundwork, allowing them to focus on the business logic design of the system. It separates the API from the implementation, giving application developers a clear idea of which classes and methods are available. And developers can change the logging framework by modifying the configuration files dependencies without making any code changes. In addition, Log4j2 significantly improves throughput in multithreaded scenarios with next-generation asynchronous loggers based on the LMAX Disruptor library.

Capabilities of the system

Whether you are an automation tester or a developer, a Logger is an important part of your code. It helps the user to analyze the code flow and catch if there is any unexpected result or break in the flow. These logs are important for development, testing and finding the place of occurence of a problem later. Log4j2 can help Java developers to log some debug ,error or info statements for debugging or tracking purpose. It stores the logs to file or other specified media.

A common scenario of using Log4j2 is to use it accompany with SLF4J2 through the log4j-to-slf4j bridge module. SLF4J (Simple Logging Facade for Java) is a wrapper API or abstraction for various logging frameworks, such as Java Util Logging(JUL), Logback and Log4j2. We use the abstract SLF4J API in the application, and plug in Log4j2 as desired logging framework for underlying implementation. Using SLF4J helps in migrating from one logging framework to another, just by replacing the configuration files. The application code is untouched.

After configuring Log4j2 with SLF4J, the user can write log statements in the application code with classes Logger and LoggerFactory . Both come from the package org.slf4j. For example:

private static Logger logger = LoggerFactory.getLogger(Main.class);
logger.info("Hello World !");
logger.error("a test error message");

We can get:

17-06-08 21:18:07:663 INFO  Example:10 - Hello World !
17-06-08 21:18:07:665 ERROR Example:11 - a test error message

With Log4j2, developers can manage logs by modifying configuration files (XML, JSON, YAML or properties format). For example, Log4j2 provides support for several priority levels. The user can configure the log levels to specify which log details we want to see. The built-in log levels for Log4j2 are:

  • OFF
  • FATAL
  • ERROR
  • WARN
  • INFO
  • DEBUG
  • TRACE
  • ALL

The user can also configure the Appenders to specify the destinations of keeping the logs. Here are some of the most useful types of appenders that the library provides:

  • ConsoleAppender – logs messages to the System console
  • FileAppender – writes log messages to a file
  • RollingFileAppender – writes the messages to a rolling log file
  • JDBCAppender – uses a relational database for logs
  • AsyncAppender – contains a list of other appenders and determines the logs for these to be written in a separate thread

Project context analysis

Figure: The system context view of Log4j2

The system context view describes the context where the Log4j2 runs. Explained below are the components of the complete context:

  • The Log4j2 is one of the open-source projects managed and supported by the Apache software foundation
  • The Log4j2 can operate on operating systems including Linux, Windows, and macOS
  • The project is developed with the programming language of Java
  • The people that contribute to this project include the project team that has direct commit privileges and other general software developers
  • The logging framework consists of an API and the implementation core, and the core is needed at runtime. It needs maven, Ivy, Gradle, or SBT to build the runtime system3
  • The Log4j2 api does not need any external dependencies. To fulfill the rich set of functions and a variety of features, log4j-core has a lot of optional external components and libraries to operate with. The external dependencies contain Jackson, slf4j, Apache Flume, and so on4

Stakeholder analysis

Stakeholder analysis discusses how they are involved in Log4j2 and what they need from the system.

Apache software foundation

The Apache software foundation organizes and oversees the Log4j2 project and makes sure that the project operates well and in accordance with the laws and regulations. The foundation hopes that the project could develop sustainably and healthily, providing comprehensive, stable services while guaranteeing user privacy and data security.

Project team

The project team consists of Project Management Committee Members and committers. They are responsible for maintaining the integrated code architecture and high-quality source code. Besides, they also need to make the project document and keep it updated. During the project lifetime, the members will need to monitor and maintain the project operations and respond and solve the issues when contingencies occur. PMC members are qualified to decide the release of the versions. The team members are also the connection between the project and the general contributors. They need to review, select, and test the suggestions and patches the general contributors propose. The project team needs the stable, healthy operation of the system and continuously completing the functionality.

General contributors

General developers could make contributions to Log4j2 via purposing suggestions on codes, documents, or adding test cases to the project. They don’t have the direct privilege of modification. To better contribute to the project, the contributors will need a clearly organized source code repository and architecture, a set of reader-friendly documents, and proper and clear criteria.

Individual software developers using Log4j2

Individual software developers use Log4j2 to assist the java software development. They hope that the Log4j2 could be capable of providing a comprehensive, easy-to-use development log, generating a detailed process log so that they could solve issues based on the information provided by the logging framework.

Company

Similarly, companies also need assistance from Log4j2 when developing software. But compared to the individual developers, the software development companies tend to attach more importance to dependability, system robustness, and data security issues, as they are more likely to have sensitive privacy and security data of larger amount.

Analysts and researchers

There are analysts and researchers studying and analyzing open-source projects, java projects, and software architecture. They regard Log4j2 as instances for analyzing. For these people, they would hope that the project could stay open-source and has the complete project document up to date. Also, they would like to see the continuous development and even evolution or possible replacement of this project.

Key quality attributes

Apart from functional requirements, an essential reason for selecting a logging library is often how well it fulfills non-functional requirements like performance and security.

Performance. One of the often-cited arguments against logging is its computational cost. Performance is a legitimate concern as even moderately sized applications can generate thousands of log requests. Much effort was spent measuring and tweaking logging performance. Log4j2’s asynchronous and garbage-free logging feature could achieve higher peak throughput (especially in multi-threaded scenarios)and better response time behavior than other logging frameworks5.

Security. We probably might have read about the Log4j2 vulnerability that has taken the internet by storm. The new vulnerability, CVE-2021-448326, could allow attackers to trigger remote code execution. The logger framework should prevent such kind of unauthorized access to the project and log information.

Current and future: Roadmap

It has been 7 years since Logging Services Project Management Committee (PMC) announced that Log4j 1.x had reached the end of life on August 5, 2015, and Log4j2 has evolved from the first general availability (GA) version 2.0 to the current lastest released version 2.17.2 and has become one of the best logging packages. As a tool that is already well established and a component that tight coupling with the application, the developers of Log4j2 focus on the maintenance of the reliability and usability of existing functions rather than importing lots of new features.

The future development of Log4j2 mainly depends on the suggestions from open-source contributors, and the Logging Service PMC will determine whether to add new features or not. However, there is no clear development roadmap for Log4j2 on either its official website or its GitHub repository, the information about the future releases is only available through the existed issues on JIRA7 and the discussion content in its public mailing lists dev8. After investigating the available resources mentioned above, we summarize the short and long term development plans of Log4j2:

For the short-term plan, version 2.17.3, the developers focus on solving

  • Compatible problems with Log4j 1.x
  • Configuration bugs when interacting with other applications such as SpringBoot
  • Small changes in performance

For the long-term plan, 3.x version, from the description in this email9, we know that the major goals are

  • Update Log4j2 to Java 11 version (now Java 8)
  • Fully support the Java Platform Module System
  • Code clean-up and performance scaling for plugins

Ethics considerations

Ethics isn’t always the first mentioned thing during the development of software, but it is quite indispensable because software has been a huge part of our lives and they have the power to make people’s lives either better or worse. As for Log4j2, we cannot simply assert the direct ethical attributes of it because Log4j2 is designed as a basic element that can be inserted into different applications and the ethics mostly depends on the usage of the application.

For the construction processes, Log4j2, as an open-source project maintained by Apache Software Foundation (ASF), does its best to achieve the mission “Provide Software for the Public Good”. First, Log4j2 follows the well-defined ASF Code of Conduct 10 which contains the specific guidances for participants and the diversity statement, so that anyone can access and contribute to Log4j2 as long as they follow the contribution guidelines. Log4j2 also keeps and promotes the diversity and inclusion of its open-source community, and it holds the maxim “Community Over Code”11 because they believe a thriving open-source community can always lead and facilitate the development of the project.

Ethics of software construction more than just the above things, resources usage and security should also be considered. Log4j2 achieves a high resource utilization with the help of low-latency asynchronous and garbage-free loggers. Moreover, as a logging tool that is deeply tied to the application and as a foundation tool that is widely used by other applications, the security of Log4j2 is crucial for the whole software supply chain, the security vulnerabilities in Log4j2 will cause significant loss to many applications, for example, CVE-2021-448326. However, Log4j2 cannot fully guarantee its security in every released version.


  1. Log4j Wiki. Retrieved 5 March 2022 from: https://en.wikipedia.org/wiki/Log4j ↩︎

  2. krishankant singhal(Jan 29, 2020). Logback ,SLF4J , Log4J2. Understanding them and learn how to use. Retrieved 5 March 2022 from: https://krishankantsinghal.medium.com/logback-slf4j-log4j2-understanding-them-and-learn-how-to-use-d33deedd0c46 ↩︎

  3. Maven, Ivy, Gradle, and SBT Artifacts. Retrieved 6 March 2022 from: https://logging.apache.org/log4j/2.x/maven-artifacts.html ↩︎

  4. Log4j Runtime Dependencies Retrieved 6 March 2022 from: https://logging.apache.org/log4j/2.x/runtime-dependencies.html ↩︎

  5. Log4j2 performance. Retrieved 5 March 2022 from: https://logging.apache.org/log4j/2.x/performance.html ↩︎

  6. National Vulnerability Database (NVD). CVE-2021-44832. Retrieved 5 March 2022 from: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44832 ↩︎

  7. Apache Jira. Apache Log4j2 Jira. Retrieved 5 March 2022 from: https://issues.apache.org/jira/projects/LOG4J2/summary ↩︎

  8. Apache Log4j2. Project mailing list for developers. Retrieved 5 March 2022 from: https://lists.apache.org/list.html?dev@logging.apache.org ↩︎

  9. Ralph Goers (January 8, 2022). Properties Enhancement in Log4j 2 3.x. Retrieved 5 March 2022 from: https://lists.apache.org/thread/cjkccn70z6k3txf9bm8l28kr74owbv1v ↩︎

  10. Apache software foundation. CODE OF CONDUCT. Retrieved 5 March 2022 from: https://www.apache.org/foundation/policies/conduct.html ↩︎

  11. Apache software foundation. THE APACHE WAY. Retrieved 5 March 2022 from: https://www.apache.org/theapacheway/index.html ↩︎

Log4j2
Authors
Longfei Lin
Ting Liang
Bowu Li
Zhaoxi Liu