Background
The default log level of our applications is DEBUG
because we aim to separate informative logs from diagnostic logs.
Recently, we received a vulnerability warning from commons-configuration2
, prompting us to update the version. After the update, the application runs fine; however, the size of our log has grown from hundreds of kilobytes to a few gigabytes.
Investigation
The update of commons-configuration2
also upgraded commons-logging
to version 1.3.0
, which includes log4j-jcl
. Previously, log4j-jcl
was a standalone dependency. Now, all dependencies in our application (mainly commons-beanutils
) are capable of writing logs through log4j
loggers.
Solution
We modified log4j2.xml
to suppress the excessive logging by package. In the long term, we may need to introduce a custom log level between INFO
and DEBUG
as our default log level; and have a fine grained logging configuration.
Top comments (0)