3 Replies Latest reply on Dec 4, 2009 10:57 AM by Peter Johnson

    Deployed application steals logging from JBoss. How to prote

    Zbigniew Łuszpiński Newbie

      I deployed war/ear application to JBoss 4.2. When I boot JBoss logging is OK on console and in file. When application starts, logging to console and server.log stops. All logs are now taken over by application.

      How I can protect JBoss against logs hijack by deployed applications on server side without touching applications code/log4j?

        • 1. Re: Deployed application steals logging from JBoss. How to p
          Peter Johnson Master

          You are going to have to first figure out how that app does logging, only then can you come up with a plan to prevent the log hijacking.

          What app is it? Where did you get it from? If you bought it, have you asked the people you bought it from about this issue?

          • 2. Re: Deployed application steals logging from JBoss. How to p
            Zbigniew Łuszpiński Newbie

            I do not know the app - this is only binary code. What I see it deploys its own log4j and use such properties for logging:

            log4j.rootCategory=ERROR, CONSOLE,MYLOG
            
            log4j.appender.CONSOLE=org.apache.log4j.ConsoleAppender
            log4j.appender.CONSOLE.Threshold=ERROR
            log4j.appender.CONSOLE.layout=org.apache.log4j.PatternLayout
            log4j.appender.CONSOLE.layout.ConversionPattern=%d{dd/MM/yy HH:mm:ss} %5p [%t] (%F:%L) - %m%n
            
            log4j.appender.MYLOG=org.apache.log4j.DailyRollingFileAppender
            log4j.appender.MYLOG.DatePattern='_'yyyyMMdd'.log'
            log4j.appender.MYLOG.File=server/default/log/mylog.log
            log4j.appender.MYLOG.Append=true
            log4j.appender.MYLOG.layout=org.apache.log4j.PatternLayout
            log4j.appender.MYLOG.layout.ConversionPattern=%d{dd/MM/yy HH:mm:ss} %5p [%t] (%F:%L) - %m%n



            JBoss logs must not be affected by any deployed application. If there is no any configuration changes which can protect against such hostile behaviour this is security bug in JBoss. Before I start looking how to file a bug report to JBoss I would like to make sure there is no known protection to JBoss.

            • 3. Re: Deployed application steals logging from JBoss. How to p
              Peter Johnson Master

              I do not know of anything in JBoss AS to prevent this - any code can directly manage log4j.

              I still think you need to confront the originator of app about this.