We have experienced some exceptions ( mainly Channel without consumer ) in our Spring Integration pipeline. But those exceptions are lost and we dont see them unless we run the app and look at the console.
Is there any way to log those exceptions to a file ?
Boot uses logback by default. Add a suitably configured logback.xml to the class path.
Related
In my spring boot project, TraceId missing only inside #SqsListener annotated method.
I have used spring-cloud-starter-sleuth for logging and logback configuration.
Which sleuth version are you using? They removed SQS support since 3.0 release. https://github.com/spring-cloud/spring-cloud-sleuth/issues/1876.
This repo can be helpful in implementing putting traces into SQS messages but getting them from the message and injecting into MDC you need to implement on your own.
By adding Spring Cloud Sleuth as a dependency in my Spring Boot project the logging mask, like magic, changes.
The change that happens is the inclusion of the traceId, spanId and applicationName in the informations that are logged when I do log.info(...) and other logging commands.
How do Spring Cloud Sleuth does that? Is that a appender implementation? Do a programatically change happens in the log mask to be able to print it when Spring Boot auto-configuration is started?
I have the same problem as in the question, the only answer is to upgrade the spring-boot version to 2.0.6. However, I currently have version 2.1.6.RELEASE and I still have the same vulnerability in the report.
Your scan report should have an abstract, explanation, and recommendation for the issue. (Here are a few links to help you generate the report - Fortify file (.fpr file) to PDF convertion, How do I generate a report that has all the issues?)
In short, this issue is because SpringBoot Actuator exposes JMX management endpoints by default. JMX uses Java serialization to send/receive messages, an attacker that is able to connect and authenticate to the Actuator JMX endpoints will be able to send a malicious Java serialization payload which may run arbitrary code upon deserialization by the JMX endpoint.
Fix:
SpringBoot Actuator JMX endpoints may be disabled by adding the following properties
to the application.properties file:
endpoints.jmx.enabled=false
management.endpoints.jmx.exposure.exclude=*
Note: endpoints.jmx.enabled=false is deprecated
There's also a nice answer on MicroFocus
How to configure Spring Boot Admin to log action. For example, I want Spring Boot Admin log action when someone change log level form INFO to DEBUG or when someone change configuration value in JMX tab and write wrong configure override the existing.
Do Spring Boot Admin has a feature to do that?
No it doesn't but you could write a zuul filter intercepting, analyzing the request to /api/applications/{id}/logfile and writing a log statement.
Spring Boot includes a number of additional features to help you
monitor and manage your application when it’s pushed to production.
You can choose to manage and monitor your application using HTTP
endpoints, with JMX or even by remote shell (SSH or Telnet). Auditing,
health and metrics gathering can be automatically applied to your
application.
Actuator HTTP endpoints are only available with a Spring MVC-based
application. In particular, it will not work with Jersey unless you
enable Spring MVC as well.
You can also activate a listener by invoking the SpringApplication.addListeners(…) method and passing the appropriate Writer object. This method also allows you to customize the file name and path via the Writer constructor.
Customize your requirement in Actuator
https://docs.spring.io/spring-boot/docs/current/reference/htmlsingle/#production-ready
Maven :
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-actuator</artifactId>
<version>1.5.2.RELEASE</version>
</dependency>
http://www.baeldung.com/spring-boot-authentication-audit
I'm setting up my Spring Boot application and I've managed to add API documentation using swagger following this tutorial
http://heidloff.net/article/usage-of-swagger-2-0-in-spring-boot-applications-to-document-apis/
It's all good I can see the endpoints and use the UI to hit them. Now I want to add somehow visibility of my logging file. I'm using logback with rolling file appender. Is it possible to configure swagger to start showing my logs?