Preface 作者序 Java http://books.gotop.com.tw/download/acl044800
8 第章 稽核 (Auditing) 與紀錄 (Logging) 本章概要 8.1 紀錄輸出方案 - Log4J 8.2 遠端備份紀錄 - Syslog
Java Auditing Accountability Audit trails Logging Accountability Identification Repudiation Information Disclosure Timestamp ID ID IP 8-2
Auditing Logging 8 Log Log ID ID Millisecond IP 2012 10 [1] 8-3
Java 8.1 紀錄輸出方案 Log4J Java Log Apache Apache Software Foundation Log4J Log4J 8-4
Auditing Logging 8 Log4J Package java.util Root Logger Log Level TRACE DEBUG INFO WARN ERROR FATAL Console File Java JDBC SMTP Syslog Log4J Log4J 2.2 log4j-api-2.2.jar log4j-core-2.2.jar error Log Console 8-1 log4j2.xml 01 <?xml version="1.0" encoding="utf-8"?> 02 <Configuration status="warn"> 03 <Appenders> 04 <Console name="console" target="system_out"> 05 <PatternLayout pattern="%d{yyyy-mm-dd HH:mm:ss.SSS} - %m%n"/> 06 </Console> 07 <File name="file" filename="logs/app.log"> 08 <PatternLayout pattern="%d{yyyy-mm-dd HH:mm:ss} - %m%n"/> 09 </File> 10 </Appenders> 11 <Loggers> 12 <Root level="error"> 13 <AppenderRef ref="console"/> 14 <AppenderRef ref="file"/> 15 </Root> 16 </Loggers> 17 </Configuration> 8-5
Java Logger trace debug info warn error fatal 8-2 TestLog4J.java 01 Logger logger = LogManager.getLogger(); 02 logger.trace("trace msg"); 03 logger.debug("debug msg"); 04 logger.info("info msg"); 05 logger.warn("warn msg"); 06 logger.error("error msg"); 07 logger.fatal("fatal msg"); error 2 5 debug <Root level="error"> <Root level="debug"> Log4J Log Log4J Log4J Logger Appender Layout 8-1 Log4J 8-6
Auditing Logging 8 8.1.1 Logger Level Package Appender Logger Root 8-3 log4j2_8-3.xml 01 <Loggers> 02 <Logger name="x.y.z" level="trace"> 03 <AppenderRef ref="console"/> 04 </Logger> 05 <Root level="error"> 06 <AppenderRef ref="console"/> 07 </Root> 08 </Loggers> Root error error Log4J fatal > error > warn > info > debug > trace fatal error warn info debug trace log Console Appender x.y.z Logger x.y.z trace trace Console Appender Root Logger Logger logger = LogManager.getRootLogger(); class Logger Logger logger = LogManager.getLogger(); Logger Log 8-7
Java 8-4 Log4JDemo.java 01 logger.trace("trace Message"); 02 logger.debug("debug Message"); 03 logger.info("info Message"); 04 logger.warn("warn Message"); 05 logger.error("error Message"); 06 logger.fatal("fatal Message"); Log4J class warn ConsoleAppender Warn Message Error Message Fatal Message Log level class debug Debug Message Info Message Warn Message Error Message Fatal Message 8.1.2 Appender Appender Log4J Appender ConsoleAppender FileAppender RollingFileAppender JDBCAppender SMTPAppender SyslogAppender Appenders 8-8
Auditing Logging 8 8-5 log4j2_8-5.xml 01 <Appenders> 02 <Console name="console" target="system_out"> 03... 04 </Console> 05 <File name="file" filename="logs/app.log"> 06... 07 </File> 08 <RollingFile name="rollingfile" filename="logs/app.log" 09 filepattern="logs/app-%d{yyyy-mm-dd}-%i.log"> 10 <Policies> 11 <TimeBasedTriggeringPolicy /> 12 <SizeBasedTriggeringPolicy size="200mb"/> 13 </Policies> 14... 15 </RollingFile> 16 <JDBC name="db" tablename="myschema.aplog"> 17 <DataSource jndiname="java:/comp/env/jdbc/logdb" /> 18 <Column name="event_time" iseventtimestamp="true" /> 19 <Column name="level" pattern="%level" /> 20 <Column name="class" pattern="%class" /> 21 <Column name="line" pattern="%line" /> 22 <Column name="message" pattern="%message" /> 23 <Column name="exception" pattern="%ex{full}" /> 24 </JDBC> 25 <SMTP name="mail" subject="error Log" to="" from="" 26 smtphost="localhost" smtpport="25" buffersize="50"> 27 </SMTP> 28 <Syslog name="syslog" host="localhost" port="514" protocol="tcp"/> 29 </Appenders> ConsoleAppender Console name ConsoleAppender target SYSTEM_OUT SYSTEM_ERR SYSTEM_ERR 8-9
Java FileAppender name FileAppender filename RollingFileAppender FileAppender RollingFileAppender name RollingFileAppender filename filepattern java.text.simpledateformat %i 2015 10 12 %d{yyyy-mmdd}-%i.log 2015-10-12-1.log 2015-10-12-2.log filename TimeBased Triggering Policy %d{yyyy-mm-dd}-%i.log dd SizeBased Triggering Policy size="200mb" 200MB KB MB GB Composite Triggering Policy TimeBased SizeBased 8-10
Auditing Logging 8 8-6 log4j2.xml 01 <Policies> 02 <TimeBasedTriggeringPolicy/> 03 <SizeBasedTriggeringPolicy size="200mb"/> 04 </Policies> JDBCAppender name JDBCAppender tablename DataSource jndiname JNDI JDBC Column name Column pattern PatternLayout conversion pattern iseventtimestamp Log SMTPAppender name SMTPAppender subject from to cc bcc smtphost SMTP IP smtpport SMTP smtpprotocol smtpusername SMTP smtppassword SMTP 8-11
Java SyslogAppender name SyslogAppender format RFC5424 RFC5424 BSD host Syslog port Syslog protocol TCP UDP appname Log facility Syslog KERN USER MAIL DAEMON AUTH SYSLOG LPR NEWS UUCP CRON AUTHPRIV FTP NTP AUDIT ALERT CLOCK LOCAL0 LOCAL1 LOCAL2 LOCAL3 LOCAL4 LOCAL5 LOCAL6 LOCAL7 newline Syslog true messageid RFC5424 MSGID mdcid RFC5424 mdcid Log4J 2.2 8.1.3 Layout Log4J Layout Log4J JSONLayout HTMLLayout PatternLayout XMLLayout PatternLayout PatternLayout conversion pattern Log 8-12
Auditing Logging 8 8-1 PatternLayout %d {} Java Doc SimpleDateFormat %c com.abc.classa %L %m %n %p Log INFO, ERROR %t Log %c % c 8-2 PatternLayout %10c 10 - %-10c 10. %.20c 20. %10.20c 10 20 -. %-10.20c 10 20 8-13
Java PatternLayout <PatternLayout pattern="%d{yyyy-mm-dd HH:mm:ss.SSS} [%t] %-5p %c %L - %m%n"/> Logger logger = LogManager.getLogger(); logger.debug("debug msg"); logger.warn("warn msg"); PatternLayout 2015-01-01 12:25:38.123 [main] DEBUG com.abc.classa 2 - debug msg 2015-01-01 12:25:38.123 [main] WARN com.abc.classa 3 - warn msg JSONLayout Log JSON Jackson jackson-core jackson-annotations jackson-databind 2.0 JSONLayout charset character set UTF-8 complete JSON [ ] false locationinfo file class method line false JSONLayout <JsonLayout locationinfo="true" complete="false" /> 8-14
Auditing Logging 8 Logger logger = LogManager.getLogger(); logger.debug("debug msg"); logger.warn("warn msg"); JSONLayout { } { } "timemillis" : 1429163424446, "thread" : "main", "level" : "DEBUG", "loggername" : "sweb.ch8.testlog4j", "message" : "debug msg", "endofbatch" : false, "loggerfqcn" : "org.apache.logging.log4j.spi.abstractlogger", "source" : { "class" : "sweb.ch8.testlog4j", "method" : "main", "file" : "TestLog4J.java", "line" : 2 } "timemillis" : 1429163424498, "thread" : "main", "level" : "WARN", "loggername" : "sweb.ch8.testlog4j", "message" : "warn msg", "endofbatch" : false, "loggerfqcn" : "org.apache.logging.log4j.spi.abstractlogger", "source" : { "class" : "sweb.ch8.testlog4j", "method" : "main", "file" : "TestLog4J.java", "line" : 3 } 8-15
Java FileAppender HTMLLayout HTML HTML Table row HTMLLayout charset character set contenttype HTML contenttype locationinfo false title HTML title HTMLLayout <HTMLLayout locationinfo="true"/> Logger logger = LogManager.getLogger(); logger.debug("debug msg"); logger.warn("warn msg"); HTMLLayout <tr> <td>291</td> <td title="main thread">main</td> <td title="level"><font color="#339933">debug</font></td> <td title="sweb.ch8.testlog4j logger">sweb.ch8.testlog4j</td> <td>testlog4j.java:12</td> <td title="message">debug msg</td> </tr> <tr> <td>294</td> <td title="main thread">main</td> <td title="level"><font color="#993300"><strong>warn</strong></font></td> <td title="sweb.ch8.testlog4j logger">sweb.ch8.testlog4j</td> <td>testlog4j.java:14</td> 8-16
Auditing Logging 8 <td title="message">warn msg</td> </tr> XMLLayout Log XML Jackson jackson-core jackson-annotations jackson-databind jackson-dataformat-xml 2.0 XMLLayout charset character set UTF-8 UTF-16 complete XML false compact false true XMLLayout <XMLLayout charset="utf-8" complete="true" compact="true"/> Logger logger = LogManager.getLogger(); logger.debug("debug msg"); logger.warn("warn msg"); XMLLayout <?xml version="1.0" encoding="utf-8"?> <Events xmlns="http://logging.apache.org/log4j/2.0/events"> <Event xmlns="" xmlns="http://logging.apache.org/log4j/2.0/events" timemillis="1429232254605" thread="main" level="debug" loggername="sweb.ch8.testlog4j" endofbatch="false" loggerfqcn="org.apache.logging.log4j.spi.abstractlogger"> <Message>debug msg</message> </Event> <Event xmlns="" xmlns="http://logging.apache.org/log4j/2.0/events" timemillis="1429232254662" thread="main" level="warn" 8-17
Java loggername="sweb.ch8.testlog4j" endofbatch="false" loggerfqcn="org.apache.logging.log4j.spi.abstractlogger"> <Message>warn msg</message> </Event> </Events> IP Log4J message Session ID IP Log4J Thread Context Mapped Diagnostic Context MDC Thread Context Log4J Thread Context AccCtrlFilter.java request Session ID Thread Context 8-7 AccCtrlFilter.java 01 String sessionid = req.getsession().getid(); 02 String ip = req.getremoteaddr(); 03 ThreadContext.put("sessionId", sessionid); 04 ThreadContext.put("IP", ip); PatternLayout %X pattern <PatternLayout pattern="%d{yyyy-mm-dd HH:mm:ss.SSS} %X{IP} %X{sessionId} [%t] %-5p %c %L - %m%n"/> Log 2015-10-12 14:10:52.516 127.0.0.1 638F7B86154A00D9D932D047833835B0 [http-bio-80-exec-1] INFO sweb.ch7.accctrlfilter 42 - login succeed. 8-18
Auditing Logging 8 8.2 遠端備份紀錄 Syslog Java Log4J Syslog Log4J SyslogAppender Log Syslog Syslog Syslog CentOS CentOS 6 rsyslog log Syslog /etc/rsyslog.conf vi /etc/rsyslog.conf UDP 514 port # #$ModLoad imudp #UDPServerRun 514 TCP 514 port # $ModLoad imtcp $InputTCPServerRun 514 syslog Ip $template RemoteLogs,"/var/log/%FROMHOST-IP%.log" * *.*?RemoteLogs & ~ 8-19
Java rsyslogd /etc/init.d/rsyslog restart 514 port rsyslog server netstat -lnptu grep 514 參考資料 [1] http://law.moj.gov.tw/lawclass/lawall.aspx?pcode=i0050021 [2] http://logging.apache.org [3] http://www.rsyslog.com/ 8-20