GSIP 209 - geoserver/geoserver Wiki

GSIP 209 - Replace Log4j 1.x with Logback

Overview

Proposed By

Mark Prins

Assigned to Release

This proposal is for GeoServer 2.21.

State

Motivation

Log4j 1 was announced to be End-Of-Life in 2015, several vulnerabilities have been logged since this time though none of which affect GeoServer as shipped. GeoServer has started using a custom version with the footgun removed but people keep raising issues (maily because automated tools keep flagging it). Logback provides a faster, memory-optimized logging (compared to log4j 1.x) functionality with built-in SLF4J. Logback can automatically reload configuration files, which could simplify the current log configuration switching in GeoServer, by logback uses a system property to find the config file.

Proposal

  1. Replace any log4j API useage with logback functionality
  2. translate the current logging profiles to logback configurations

Backwards Compatibility

This is a breaking change. TODO

Feedback

Voting

Project Steering Committee:

Links