Log action in Spring Boot Admin - spring

How to configure Spring Boot Admin to log action. For example, I want Spring Boot Admin log action when someone change log level form INFO to DEBUG or when someone change configuration value in JMX tab and write wrong configure override the existing.
Do Spring Boot Admin has a feature to do that?

No it doesn't but you could write a zuul filter intercepting, analyzing the request to /api/applications/{id}/logfile and writing a log statement.

Spring Boot includes a number of additional features to help you
monitor and manage your application when it’s pushed to production.
You can choose to manage and monitor your application using HTTP
endpoints, with JMX or even by remote shell (SSH or Telnet). Auditing,
health and metrics gathering can be automatically applied to your
application.
Actuator HTTP endpoints are only available with a Spring MVC-based
application. In particular, it will not work with Jersey unless you
enable Spring MVC as well.
You can also activate a listener by invoking the SpringApplication.addListeners(…​) method and passing the appropriate Writer object. This method also allows you to customize the file name and path via the Writer constructor.
Customize your requirement in Actuator
https://docs.spring.io/spring-boot/docs/current/reference/htmlsingle/#production-ready
Maven :
<dependency>
    <groupId>org.springframework.boot</groupId>
    <artifactId>spring-boot-starter-actuator</artifactId>
    <version>1.5.2.RELEASE</version>
</dependency>
http://www.baeldung.com/spring-boot-authentication-audit

Related

Forttify dynamic-code-evaluation-unsafe-deserialization on Spring Boot Actuator 2.1.6

I have the same problem as in the question, the only answer is to upgrade the spring-boot version to 2.0.6. However, I currently have version 2.1.6.RELEASE and I still have the same vulnerability in the report.
Your scan report should have an abstract, explanation, and recommendation for the issue. (Here are a few links to help you generate the report - Fortify file (.fpr file) to PDF convertion, How do I generate a report that has all the issues?)
In short, this issue is because SpringBoot Actuator exposes JMX management endpoints by default. JMX uses Java serialization to send/receive messages, an attacker that is able to connect and authenticate to the Actuator JMX endpoints will be able to send a malicious Java serialization payload which may run arbitrary code upon deserialization by the JMX endpoint.
Fix:
SpringBoot Actuator JMX endpoints may be disabled by adding the following properties
to the application.properties file:
endpoints.jmx.enabled=false
management.endpoints.jmx.exposure.exclude=*
Note: endpoints.jmx.enabled=false is deprecated
There's also a nice answer on MicroFocus

Listing all deployed rest endpoints (spring-boot, tomcat)

I know there is a similar kind of question exist but if works only for glassfish server.
Listing all deployed rest endpoints (spring-boot, jersey)
Is it possible to list all my configured rest-endpoints with spring boot? The actuator lists all existing paths on startup, I want something similar for my custom services, so I can check on startup if all paths are configured correctly and use this info for client calls.
How do I do this? I use #Path/#GET annotations on my service beans and register them via ResourceConfig#registerClasses.
Is there a way to query the Config for all Paths?
Update2: I want to have something like
GET /rest/mycontroller/info
POST /res/mycontroller/update
...
In my opinion, you are already using the right tool (actuator) to answer to your request.
Actuator gives you all the rest method running and you can configure it on your own, by disabling/enabling specific endpoints
If you have a look on the documentationprobably it can help you.
In any case, the default configuration of actuator display the endpoints (built-in in Intellij for your development).

Spring boot LDAP auto configuration - anonymous access

If the ldap server allows anonymous access, how do I configure the following properties.
spring.ldap.username
spring.ldap.password
If I leave out these properties, I am getting null pointer exception as internally hashtable is used.
I run in the same problem with a transient dependency of Spring ldap security from another project and Spring boot 2.1 and Spring boot admin. My LDAP is not configured (with Spring boot) and a Spring boot admin console initiates a health check. Because of Spring boot auto-configuration a LDAP health check bean is enabled and then the check runs into a NullPointerException.
For this case I excluded the LdapHealthIndicatorAutoConfiguration.class via #SpringBootApplication.
For your problem your maybe need more excludes. Please refer https://docs.spring.io/spring-boot/docs/current/reference/html/auto-configuration-classes.html for existing auto configuration classes. Search for LDAP and try to exclude the found classes in your application.
I'm pretty sure this is a bug in Spring LDAP security, because an anonymous LDAP configuration (no user and password) was intended to work.
I think, this should able to use. Just don't provider membership detail.

How to serve up logging files in a html page?

We are using spring boot for our Web Service. The logging is implemented by using logback. The application is deployed in a Red Hat Linux box and now if we want to browse over the logs we don't want to look through the plain text version. There needs to be static html page to serve it up. I tried looking at the examples but no one tried for logging.
Spring Boot Admin is a separate application which offers admin features over any Spring Boot app. These featues include a logfile-endpoint which allows you to see and tail logfile(s) produced by a Spring Boot app. By default, that endpoint will provide access to the log file defined by the Spring Boot logging.file property and you can also configure a non Spring Boot managed logfile by defining the property: endpoints.logfile.external-file.
If that tool is not a runner then your options might be:
logviewer
Roll your own, for example ...
Use Commons IO Tailer to tail your file, via a file mount on the target server or remotely using Jsch perhaps
Use a SocketAppender to emit log events from the server and consume those log events on the client side for display in the browser
Log Viewer solves this problem. It provides a web page to monitor logs on a server. Full access to the log file is available, not only tail. Filtering, highlighting is supported as well. No problem with big files.
The tool can be added to a spring boot application as a library and works inside the application, or can be run standalone.

Spring cloud config client without Eureka, Ribbon and spring boot

I have spring web application (not spring boot) running in AWS. I am trying to create centralized configuration server. How to refresh the spring-cloud-client after the changing the properties? As per tutorial
Actuator endpoint by sending an empty HTTP POST to the client’s refresh endpoint, http://localhost:8080/refresh, and then confirm it worked by reviewing the http://localhost:8080/message endpoint.
But my aws Ec2 instances are behind the loadbalancer so i can't invoke the client url. I didn't understand the netflix Eureka and Ribbon much but it seems like adding another level of load balancer in the client side. I don't like this approach. Just to change a property i don't want to make the existing project unnecessarily complex. Is there any other way? or Am I misunderstood Eureka/Ribbon usage?
I have looked at the spring-cloud-config-client-without-spring-boot, spring-cloud-config-client-without-auto-configuration none of them have answer. First thread was answered in 2015. Wondering is there any update?
To get the configuration properties from a config server. You can do a http request. Example:
From the documentation we can see:
/{application}/{profile}[/{label}]
/{application}-{profile}.yml <- example
/{label}/{application}-{profile}.yml
/{application}-{profile}.properties
/{label}/{application}-{profile}.properties
So if you would do a request to http://localhost:8080/applicationName-activeProfile.yml you would receive the properties in .yml format for the application with that name and active profile. Spring boot config clients would automatically provide these values but you will have to provide em manually.
You don't need Eureka/Ribbon for this to work, it's a separate component.
More info: http://cloud.spring.io/spring-cloud-static/spring-cloud.html#_spring_cloud_config
Maybe you could even use spring-cloud-config but I'm not sure what extra configuration is needed without spring-boot.
https://cloud.spring.io/spring-cloud-config/

Resources