v3.6.2

This is a bugfix release for a regression in cf-java-logging-support-logback. It affected the logging of stacktraces when using logback as a logging backend.

What's Changed

• Fix logback stacktrace information by @KarstenSchnitter in #146

Full Changelog: v3.6.1...v3.6.2

v3.6.1

This is a bugfix release to add the missing Java thread name to the log messages. It was accidentally dropped in v3.6.0

What's Changed

• Bump jackson-databind from 2.13.0 to 2.13.2.1 in /cf-java-logging-support-servlet by @dependabot in #143
• Add Thread name to JSON log events by @KarstenSchnitter in #144

Full Changelog: v3.6.0...v3.6.1

v3.6.0

Note: this version does not include the Java thread name in the log messages. This bug is fixed in v3.6.1

This release contains a major refactoring of the JSON generation code.
The implementation now uses Jackson's ObjectComposer instead of a string pattern.
This increases performance and allows several extension points to library users.
See the Wiki article on Writing Application Logs for details.
In particular it is now possible to register custom "Field Suppliers", that can add custom fields to the log message.
Furthermore, custom field support now extends to request logs.

Another major change is, that the library will no longer add CloudFoundry metadata (from env VCAP_APPLICATION) by default.
This reduces the message size considerably and improves human readability.
Usually, the missing data is unproblematic, since it is added in the message envelope by CF Loggregator.
If your logging service cannot extract the information from the envelope, you can bring back the old behaviour with the example configuration given in the Wiki article on Writing Application Logs.

What's Changed

• Add support for W3C traceparent HTTP header by @KarstenSchnitter in #139
• Introduce JHM Benchmarking for Log Backends by @KarstenSchnitter in #137
• Refactor Logback Log Generation by @KarstenSchnitter in #140
• Refactor json generation log4j2 by @KarstenSchnitter in #142

Full Changelog: v3.5.7...v3.6.0

v3.5.7

This is a bugfix release for #135.

What's Changed

• #135 Fix UOE when using Custom Fields by @KarstenSchnitter in #136
• Fix typo and formatting by @TimGerlach in #134

New Contributors

• @TimGerlach made their first contribution in #134

Full Changelog: v3.5.6...v3.5.7

v3.5.6

This is purely a dependency update to resolve CVE-2021-44832 and CVE-2021-42550

What's Changed

Upgraded dependencies:

• log4j2 2.17.1 (resolve CVE-2021-44832)
• logback 1.2.10 (resolve CVE-2021-42550)
• jackson-jr 2.13.1
• junit 4.13.2
• spring-boot 2.6.1

Full Changelog: v3.5.5...v3.5.6

v3.5.5

⚠️ This release upgrades Log4j2 to version 2.17.0 in mitigation of CVE-2021-45105. Furthermore, it secures sample-spring-boot when build with -Plog4j2 by replacing the Spring Boot provided log4j version with 2.17.0.

What's Changed

• #128 upgrade log4j to v2.17.0
• #129 secure log4j to v2.17.0 for sample-spring-boot

Full Changelog: v3.5.4...v3.5.5

v3.5.4

⚠️ This release upgrades Log4j2 to version 2.16.0 in mitigation of CVE-2021-44228. Furthermore it resolves a regression where invalid JSON messages were generated when using [email protected]

What's Changed

• #123 Upgrade of 3rd party dependencies new versions
  • log4j 2.16.0
  • slf4j 1.7.32
  • logback 1.7.32
  • jackson-jr 2.13.0
  • jackson-databind 2.13.0 (servlet)
  • java-jwt 3.18.2 (servlet)
  • spring-boot 2.6.1 (sample app)
  • jetty 9.4.44.v20210927 (test only)
• #126 Fix invalid JSON format generated with cf-java-logging-support-log4j2 as described in #124

Full Changelog: v3.5.3...v3.5.4

v3.5.3

⚠️ This release upgrades the Log4j2 to 2.15.0 in mitigation of CVE-2021-44228. This is done to avoid the introduction
of a vulnerable dependency into your application. Make sure to check your dependency
configuration, that you only use fixed Log4j2 versions (>=2.5.0).

With this release we start introduction of features, that reduce the amount of superfluous information.
The goal is the reduction of message size. As a first step, the library will by default no longer emit fields, that contain the default value, e.g. "-" for strings. This feature can be disabled.

What's Changed

• a38a4ca Upgrade Log4j2 dependency to 2.15.0
• #120 Suppress Default Values from MDC

Full Changelog: v3.5.2...v3.5.3

v3.5.2

This release adds support for additional headers in the generated request logs. The new headers improve debugging scenarios when reverse proxies are used to forward requests. In addition to the already support header "x-forwarded-for" three additional headers are added: "x-forwarded-host", "x-forwarded-proto" and "x-custom-host". Furthermore, support for SSL validation headers as issued by HA-Proxy were added: "x-ssl-client", "x-ssl-client-verify", "x-ssl-client-subject-dn", "x-ssl-client-subject-cn", "x-ssl-client-issuer-dn", "x-ssl-client-notbefore", "x-ssl-client-notafter" and "x-ssl-client-session-id". To enable logging of these "x-ssl-*" headers the environment variable "LOG_SSL_HEADERS" needs to be set to "true".

Detailed changes are:

• #119 Support of reverse proxy headers
• upgrade Spring Boot version of sample app to 2.5.3

v3.5.1

This release removes a long standing side-effect in the servlet instrumentation: When a user sets a log field, that is auto-filled from some http header, e.g. tenant_id, the user-provided value may get overwritten or deleted during generation of the request log. This behaviour is now removed. Http headers are only propagated to log fields in the AddHttpHeadersToLogContextFilter, which is part of RequestLoggingFilter and StaticLevelRequestLoggingFilter.

Detailed changes are:

• #117 Fix cases where http header to log field propagation overwrites user-provided content after request handling
• #118 Removal of Version class, that was not referenced in the code base.