log4j项目
pom.xml
<properties>
<maven.compiler.source>8</maven.compiler.source>
<maven.compiler.target>8</maven.compiler.target>
<log.version>2.14.0</log.version>
<!-- jdk7升级倒2.12.4, jdk8升级到2.17.1 -->
<!-- <log.version>2.17.1</log.version>-->
<!-- <log.version>2.15.0</log.version>-->
</properties>
<dependencies>
<dependency>
<groupId>org.apache.logging.log4j</groupId>
<artifactId>log4j-api</artifactId>
<version>${log.version}</version>
</dependency>
<dependency>
<groupId>org.apache.logging.log4j</groupId>
<artifactId>log4j-core</artifactId>
<version>${log.version}</version>
</dependency>
</dependencies>
log4j2.xml
<?xml version="1.0" encoding="UTF-8"?>
<Configuration status="WARN">
<!--全局参数-->
<Properties>
<Property name="pattern">%d{yyyy-MM-dd HH:mm:ss,SSS} %5p %c{1}:%L - %m%n</Property>
<Property name="logDir">/data/logs/dust-server</Property>
</Properties>
<Loggers>
<Root level="INFO">
<AppenderRef ref="console"/>
<AppenderRef ref="rolling_file"/>
</Root>
</Loggers>
<Appenders>
<!-- 定义输出到控制台 -->
<Console name="console" target="SYSTEM_OUT" follow="true">
<!--控制台只输出level及以上级别的信息-->
<ThresholdFilter level="INFO" onMatch="ACCEPT" onMismatch="DENY"/>
<PatternLayout>
<Pattern>${pattern}</Pattern>
</PatternLayout>
</Console>
<!-- 同一来源的Appender可以定义多个RollingFile,定义按天存储日志 -->
<RollingFile name="rolling_file"
fileName="${logDir}/dust-server.log"
filePattern="${logDir}/dust-server_%d{yyyy-MM-dd}.log">
<ThresholdFilter level="INFO" onMatch="ACCEPT" onMismatch="DENY"/>
<PatternLayout>
<Pattern>${pattern}</Pattern>
</PatternLayout>
<Policies>
<TimeBasedTriggeringPolicy interval="1"/>
</Policies>
<!-- 日志保留策略,配置只保留七天 -->
<DefaultRolloverStrategy>
<Delete basePath="${logDir}/" maxDepth="1">
<IfFileName glob="dust-server_*.log" />
<IfLastModified age="7d" />
</Delete>
</DefaultRolloverStrategy>
</RollingFile>
</Appenders>
</Configuration>
Log4j2Demo
package org.example;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
public class Log4j2Demo {
/**
* 版本2.14.0:
* 2022-03-08 10:44:15,130 INFO Log4j2Demo:10 - --------------start---------------
* 2022-03-08 10:44:15,140 INFO Log4j2Demo:13 - Hello, Windows 10 10.0, architecture: amd64-64
* 2022-03-08 10:44:15,140 INFO Log4j2Demo:14 - --------------end---------------
*
* 升级到2.15.0|2.17.1版本后:
* 2022-03-08 10:49:42,866 INFO Log4j2Demo:19 - Hello, ${java:os}
*
*/
private static final Logger LOGGER = LogManager.getLogger();
public static void main(String[] args) {
LOGGER.info("--------------start---------------");
String username="1111${java:os}";
LOGGER.info("Hello, {}",username);
LOGGER.info("Hello, {}", "${java:os}");
LOGGER.info("--------------end---------------");
}
}
执行main函数发现如下,会存在安全漏洞
升级logback日志
pom.xml加上下面
<dependency>
<groupId>ch.qos.logback</groupId>
<artifactId>logback-classic</artifactId>
<version>1.2.3</version>
</dependency>
<dependency>
<groupId>org.apache.logging.log4j</groupId>
<artifactId>log4j-to-slf4j</artifactId>
<version>2.8.2</version>
<!-- <version>${log.version}</version>-->
</dependency>
logback.xml
<configuration>
<appender name="Console" class="ch.qos.logback.core.ConsoleAppender">
<layout class="ch.qos.logback.classic.PatternLayout">
<Pattern>
[logback]%black(%d{ISO8601}) %highlight(%-5level) [%blue(%t)] %yellow(%C{1.}): %msg%n%throwable
</Pattern>
</layout>
</appender>
<root level="DEBUG">
<appender-ref ref="Console" />
</root>
</configuration>
再执行main函数,漏洞不存在了
