You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: src/site/asciidoc/security.adoc
+2-3Lines changed: 2 additions & 3 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -69,20 +69,19 @@ For example, if a log message contains new lines, these are not escaped or encod
69
69
Similarly, other encoding options are available for other formats, but pattern layouts cannot make assumptions about the entire output.
70
70
As such, when using unstructured layouts, no user-controlled input should be included in logs.
71
71
It is strongly recommended that a structured layout (e.g., `JsonTemplateLayout`) is used instead for these situations.
72
-
Note that `StrLookup` plugins (those referenced by `${...}` templates in configuration files) that contain user-provided input should not be referenced by a pattern layout.
72
+
Note that `StrLookup` plugins (those referenced by `${...}` templates in configuration files) that contain user-provided input should not be referenced by layouts.
73
73
74
74
=== Structured Logging
75
75
76
76
When using a structured layout (most layouts besides pattern layout), log messages are encoded according to various output formats.
77
77
These safely encode the various fields included in a log message.
78
-
For example, the JSON template layout can be configured to output log messages in various JSON structures where all log data is properly encoded into safely parseable JSON.
78
+
For example, the `JsonTemplateLayout` can be configured to output log messages in various JSON structures where all log data is properly encoded into safely parseable JSON.
79
79
This is the recommended mode of operation for use with log parsing and log collection tools that rely on log files or arbitrary output streams.
80
80
81
81
=== Code Signing
82
82
83
83
Log4j artifacts are all signed using PGP using a key from the Logging Services PMC https://downloads.apache.org/logging/KEYS[KEYS file].
84
84
Information on how to verify releases signed with PGP is https://httpd.apache.org/dev/verification.html[documented here].
85
-
Individual jar files are not signed using `jarsigner` (only PGP), and the Log4j plugin system does not rely on signed jars for validation (unlike the Java cryptography APIs for example).
86
85
Thus, PGP signatures should be validated in your build process.
0 commit comments