Replacing system logger

Post here your questions about SFS2X. Here we discuss all server-side matters. For client API questions see the dedicated forums.

Moderators: Lapo, Bax

sanity_check
Posts: 2
Joined: 05 Jul 2022, 03:16

Replacing system logger

Postby sanity_check » 05 Jul 2022, 03:36

Hi,

I would like to ask if it is possible to replace the sfs2x logger (slf4j + log4j), which writes to SFSX2/log/..
The current version of log4j has been blacklisted by our IT team due to vulnerability.

What I have tried
Replaced slf4j with latest stable 1.7.36
Replaced log4j with log4j2 2.17.2
    - log4j-1.2.15.jar
    - slf4j-api-1.7.5.jar
    + log4j-1.2-api-2.17.2.jar
    + log4j-api-2.17.2.jar
    + log4j-core-2.17.2.jar
    + log4j-slf4j-impl-2.17.2.jar (slf4j to log4j2 binding)
With the existing properties file, it works since it is still using the DailyRollingFileAppender class from the old log4j api (only crash when exiting the app - stream closed exception)
Changing it to new appenders.RollingFIleAppender from log4j2 causes a Instantiate exception
Changing properties to log4j2 style cause no more logs to be shown in console or written to file

Properties rollingFileAppender looks like this
log4j.appender.fileAppender=org.apache.logging.log4j.core.appender.RollingFileAppender
log4j.appender.fileAppender.name=fileAppender
log4j.appender.fileAppender.fileName=logs/smartfox.log
log4j.appender.fileAppender.filePattern =logs/smartfox.log'.'yyyy-MM-dd-mm
log4j.appender.fileAppender.layout=org.apache.log4j.PatternLayout
log4j.appender.fileAppender.layout.pattern=%d{yyyy-MM-dd HH:mm:ss.SSS} %level [%t] [%c] [%M] [%l] - %msg%n
log4j.appender.fileAppender.policies.type = Policies
log4j.appender.fileAppender.policies.time.type = TimeBasedTriggeringPolicy
log4j.appender.fileAppender.policies.time.interval = 1
log4j.appender.fileAppender.policies.time.modulate = true


It would be great if we could swap it with some other logger, or disable the current one completely so that it does not have any dependencies to log4j. Please let me know if this could be fixed or if there are some other alternatives.
Thanks
User avatar
Lapo
Site Admin
Posts: 23008
Joined: 21 Mar 2005, 09:50
Location: Italy

Re: Replacing system logger

Postby Lapo » 05 Jul 2022, 08:23

Hello,
sanity_check wrote:I would like to ask if it is possible to replace the sfs2x logger (slf4j + log4j), which writes to SFSX2/log/..
The current version of log4j has been blacklisted by our IT team due to vulnerability.

Why though? This version is actually not subject to the terribile vulnerability that was discovered a few months ago.

Unfortunately it's not possible to replace log4j 1.x with 2.x, it requires a significant amount of rework. However we also don't see the problem with keeping 1.x, especially the version we are shipping, unless you have details of actual vulnerabilities that can be exploited with our configuration.

Let us know.
Lapo
--
gotoAndPlay()
...addicted to flash games
sanity_check
Posts: 2
Joined: 05 Jul 2022, 03:16

Re: Replacing system logger

Postby sanity_check » 06 Jul 2022, 10:43

Thanks for the information. We will discuss it with the IT team to resolve this issue.
Will let you know if anything comes up.

Return to “SFS2X Questions”

Who is online

Users browsing this forum: No registered users and 39 guests