I'm setting up my Spring Boot application and I've managed to add API documentation using swagger following this tutorial
http://heidloff.net/article/usage-of-swagger-2-0-in-spring-boot-applications-to-document-apis/
It's all good I can see the endpoints and use the UI to hit them. Now I want to add somehow visibility of my logging file. I'm using logback with rolling file appender. Is it possible to configure swagger to start showing my logs?
Related
I have a non boot spring application with micrometer integrated. Right now we are pushing these metrics to the logging file using LoggingRegistry.
We want to enhance this project to expose these metrics in the Rest API(we cannot use actuator as turning ON auto configuration is causing issues in our non boot application).Is there any way to expose these metrics which are automatically provided by the micrometer in the Rest API?
Any example will be appreciated?
You can add PrometheusMeterRegistry, it is for this use case, see the docs: https://micrometer.io/docs/registry/prometheus
I have the same problem as in the question, the only answer is to upgrade the spring-boot version to 2.0.6. However, I currently have version 2.1.6.RELEASE and I still have the same vulnerability in the report.
Your scan report should have an abstract, explanation, and recommendation for the issue. (Here are a few links to help you generate the report - Fortify file (.fpr file) to PDF convertion, How do I generate a report that has all the issues?)
In short, this issue is because SpringBoot Actuator exposes JMX management endpoints by default. JMX uses Java serialization to send/receive messages, an attacker that is able to connect and authenticate to the Actuator JMX endpoints will be able to send a malicious Java serialization payload which may run arbitrary code upon deserialization by the JMX endpoint.
Fix:
SpringBoot Actuator JMX endpoints may be disabled by adding the following properties
to the application.properties file:
endpoints.jmx.enabled=false
management.endpoints.jmx.exposure.exclude=*
Note: endpoints.jmx.enabled=false is deprecated
There's also a nice answer on MicroFocus
I have been using swagger for a while with spring boot applications. It is very easy with spring since i only have to specify the package info.
But recently i was going through a few documents on how to integrate swagger with JAX-RS, i found it requires more involvement from developer by specifying api information's on a JSON.
Do we have any other solution?
How to configure Spring Boot Admin to log action. For example, I want Spring Boot Admin log action when someone change log level form INFO to DEBUG or when someone change configuration value in JMX tab and write wrong configure override the existing.
Do Spring Boot Admin has a feature to do that?
No it doesn't but you could write a zuul filter intercepting, analyzing the request to /api/applications/{id}/logfile and writing a log statement.
Spring Boot includes a number of additional features to help you
monitor and manage your application when it’s pushed to production.
You can choose to manage and monitor your application using HTTP
endpoints, with JMX or even by remote shell (SSH or Telnet). Auditing,
health and metrics gathering can be automatically applied to your
application.
Actuator HTTP endpoints are only available with a Spring MVC-based
application. In particular, it will not work with Jersey unless you
enable Spring MVC as well.
You can also activate a listener by invoking the SpringApplication.addListeners(…) method and passing the appropriate Writer object. This method also allows you to customize the file name and path via the Writer constructor.
Customize your requirement in Actuator
https://docs.spring.io/spring-boot/docs/current/reference/htmlsingle/#production-ready
Maven :
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-actuator</artifactId>
<version>1.5.2.RELEASE</version>
</dependency>
http://www.baeldung.com/spring-boot-authentication-audit
We are using spring boot for our Web Service. The logging is implemented by using logback. The application is deployed in a Red Hat Linux box and now if we want to browse over the logs we don't want to look through the plain text version. There needs to be static html page to serve it up. I tried looking at the examples but no one tried for logging.
Spring Boot Admin is a separate application which offers admin features over any Spring Boot app. These featues include a logfile-endpoint which allows you to see and tail logfile(s) produced by a Spring Boot app. By default, that endpoint will provide access to the log file defined by the Spring Boot logging.file property and you can also configure a non Spring Boot managed logfile by defining the property: endpoints.logfile.external-file.
If that tool is not a runner then your options might be:
logviewer
Roll your own, for example ...
Use Commons IO Tailer to tail your file, via a file mount on the target server or remotely using Jsch perhaps
Use a SocketAppender to emit log events from the server and consume those log events on the client side for display in the browser
Log Viewer solves this problem. It provides a web page to monitor logs on a server. Full access to the log file is available, not only tail. Filtering, highlighting is supported as well. No problem with big files.
The tool can be added to a spring boot application as a library and works inside the application, or can be run standalone.