Logs are the notetakers for your Java application. In a meeting, you might take notes so that you can remember important details later. Your Java logs do the same thing for your application. They document important information about the application’s ability to function and problems that keep it from working as intended.
Logs give you information to help fix coding errors, but they also give your end users information that helps them monitor performance and security. By understanding the role Java logs play, you can make more informed decisions when configuring them in your application.
What is a Logger in Java?
The Java Logger captures events so that developers can manage and store log messages. Java logging consists of the following three components:
- Loggers: capture events called LogRecords and forward them to the specified Appender
- Appenders/Handlers: use Layout to format LogRecords and sent them to an output, like a console, file, or other application
- Layouts/Formatters: convert and format the LogRecord data
Within the Logger, developers can configure the following:
- Levels: define the type of event
- Filters: additional control over what the application logs
What are the Java log levels?
While Python logs typically fall into only a few categories, Java configurations provide more depth and details. Additionally, levels come with hierarchies from a parent through all underlying children.
The valid logging levels for Java are:
- Off: nothing logged
- Fatal: task cannot continue; component inability to function
- Severe: task cannot continue; component can function
- Warning: potential or impending error
- Audit: event affecting server state or resources
- Info: general task progress information
- Config: configuration change or status
- Detail: general subtask progress information
- Fine: general trace information
- Finer: details trace information, including method entry/exit/return values
- All: logs all events, including custom levels that may provide more detailed trace than Finest
What is a Java logging framework?
A Java logging framework is a package that developers can use as the supporting structure to standardize and customize how and where their applications write logs.
java.util.logging (JUL)
JUL is the only Java-native logging package. It supports delivering plain text or XML-formatted log records to:
- Memory
- Output streams
- Consoles
- FIles
- Sockets
The logging APIs can also interact with other logging services on the host operating system.
Log4j and Log4j2
The now infamous Apache Log4j consists of the following components:
- Appenders: writing event data to target destinations like network sockets, databases, or SMTP servers
- Layouts: formatting log events for the technology ingesting them, like CSV, HTML, JSON, and and Syslog
- Filters: determining if or how to publish log events with configurations like log even rates, regular expressions, scripts, or time
- Lookups: adding values to the configurations for use cases like accessing system properties, environment variable, or log event fields
Log4j2 included updated features like:
- Asynchronous Loggers
- Support for multiple APIS
- Automatic configuration reloading (a direct response to Logback)
- Advanced filtering across a common class specified to apply to all events before being passed to Loggers or as they pass through Appenders (a direct response to Logback capabilities)
- Custom log levels without requiring subclassing
In December 2021, a zero-day vulnerability, CVE-2021-44228 also known as Log4Shell, allowed unauthorized remote actors to take control of an affected system. As of August 2024, researchers still found attackers exploiting the vulnerability to deploy crypt-currency miners and malicious backdoor scripts against unpatched instances.
Logback
Logback, designed by Ceki Gülcüt he Log4j project founder, was a successor to the popular framework’s v.1.x with capabilities like
- Speed: components faster on some critical execution paths with a smaller memory footprint
- Testing: extensive battery of tests
- Documentation: consistently updated documentation
- Configuration files: automatically reloads upon modification
- Compression and removal: automatically compressing archived log files and removed old log archives
- Filters: customizable logic based on Linux iptables for assembling or chaining filtering policies
- SiftingAppender: versatile appender for separating logging according to any runtime attribute
Best Practices for Java Logging
Choosing a framework is only the first step in implementing logging for your Java application. Logging in an application provides information to help:
- Debugging
- Investigating an issue’s root cause
- Detecting and responding to security incidents
Implement an abstraction layer
An abstraction layer separated the logging framework from the application, providing a generic API that enables more flexibility. The Simple Logging Facade for Java (SLF4J) provides an API so you can use whatever logging implementation scheme you want, even changing it if you feel a different one would work.
Select appropriate log levels
Log levels define the information that your application provides. To prevent excessive logging that undermines application performance, you should think carefully about the data that your users need to track. For example, as a developer, you might need the DEBUG log level, but your end users may want Fatal and Audit logging enabled.
Use a structured format
Structured log formats allow you and your end users to forward logs to other solutions, like centralized log management or security information and event management (SIEM) solutions. Using a JSON format can make logs easier to parse, normalize, and index because they have structured fields.
Provide Context But Limit Sensitive Information
Logs should have enough information so that the people using them can have the appropriate context. Typically, this means including:
- Timestamp
- Error type
- User actions
- UserID
However, you should limit the amount and mask any sensitive information. For example, your logs should protect personally identifiable information (PII) like:
- User credentials: userID combined with password
- Account or payment information: bank account or credit card information
- Health records: social security number or insurance card data
Consider performance impact
Logging too much activity can negatively impact your application’s performance and user experience. You may want to consider the following:
- Asynchronous logging: separate threads push the log message to improve application performance but increase memory usage and may impact message ordering
- Synchronous logging: application thread generates message and pushes message to destination before continuing which can slow down the application
Handle exception logging
Exception handlers document when an application does something unexpected. While you should log exceptions, you want to ensure that the log does not give the user information that attackers could exploit, like database system information or user credentials.
When choosing how to handle exceptions, you can either:
- Log at the source: create log messages that limit context but provide access to stack trace
- Pass exception up the stack: create log message with more context but may lock information about the bottom-level component
Centralize logs
Centralization simplifies log management so you can detect anomalies and troubleshoot problems more efficiently. With real-time log collection and analysis, developers and end-users can proactively identify application performance and security issues.
Graylog: Security and Operations Monitoring for Java Logs
Graylog’s purpose-built solution provides lightning fast search capabilities and flexible integrations that allow your team to collaborate more efficiently. Since you can easily share Dashboards and searches with Graylog’s cloud platform, you have the ability to capture, manage, and share knowledge consistently across DevOps, operations, and security.
With Graylog’s security analytics and anomaly detection capabilities, you get the cybersecurity platform you need without the complexity that makes your team’s job harder. With our powerful, lightning-fast features and intuitive user interface, you can lower your labor costs while reducing alert fatigue and getting the answers you need – quickly.
Our prebuilt search templates, dashboards, correlated alerts, and dynamic look-up tables enable you to get immediate value from your logs while empowering your security team.
