[survey] What version of Java do you use?
Curious: What version of Java do you use with Log4j 1? What version of Java do you use with Log4j 2? Thank you, Gary -- E-Mail: garydgreg...@gmail.com | ggreg...@apache.org Java Persistence with Hibernate, Second Edition http://www.manning.com/bauer3/ JUnit in Action, Second Edition http://www.manning.com/tahchiev/ Spring Batch in Action http://www.manning.com/templier/ Blog: http://garygregory.wordpress.com Home: http://garygregory.com/ Tweet! http://twitter.com/GaryGregory
Re: [survey] What version of Java do you use?
I've been using version 2 in Java 1.6-1.8, but hopefully we'll be all 1.7+ within the next few months. Personally, I also keep track of 1.9 development, but not a whole lot has changed yet. On Monday, 8 September 2014, Gary Gregory garydgreg...@gmail.com wrote: Curious: What version of Java do you use with Log4j 1? What version of Java do you use with Log4j 2? Thank you, Gary -- E-Mail: garydgreg...@gmail.com javascript:; | ggreg...@apache.org javascript:; Java Persistence with Hibernate, Second Edition http://www.manning.com/bauer3/ JUnit in Action, Second Edition http://www.manning.com/tahchiev/ Spring Batch in Action http://www.manning.com/templier/ Blog: http://garygregory.wordpress.com Home: http://garygregory.com/ Tweet! http://twitter.com/GaryGregory -- Matt Sicker boa...@gmail.com
Re: [survey] What version of Java do you use?
I'm all Java 7 with some 8 experiments. Gary On Mon, Sep 8, 2014 at 9:46 AM, Matt Sicker boa...@gmail.com wrote: I've been using version 2 in Java 1.6-1.8, but hopefully we'll be all 1.7+ within the next few months. Personally, I also keep track of 1.9 development, but not a whole lot has changed yet. On Monday, 8 September 2014, Gary Gregory garydgreg...@gmail.com wrote: Curious: What version of Java do you use with Log4j 1? What version of Java do you use with Log4j 2? Thank you, Gary -- E-Mail: garydgreg...@gmail.com javascript:; | ggreg...@apache.org javascript:; Java Persistence with Hibernate, Second Edition http://www.manning.com/bauer3/ JUnit in Action, Second Edition http://www.manning.com/tahchiev/ Spring Batch in Action http://www.manning.com/templier/ Blog: http://garygregory.wordpress.com Home: http://garygregory.com/ Tweet! http://twitter.com/GaryGregory -- Matt Sicker boa...@gmail.com -- E-Mail: garydgreg...@gmail.com | ggreg...@apache.org Java Persistence with Hibernate, Second Edition http://www.manning.com/bauer3/ JUnit in Action, Second Edition http://www.manning.com/tahchiev/ Spring Batch in Action http://www.manning.com/templier/ Blog: http://garygregory.wordpress.com Home: http://garygregory.com/ Tweet! http://twitter.com/GaryGregory
Re: [survey] What version of Java do you use?
Hello, Not that I have started suggesting Log4j2 to our client projects, However conducted experiments using JDK 1.6 / JDK 1.7 We used Log4j1 prior till JDK 5 Regards, -Yogesh On Mon, Sep 8, 2014 at 7:25 PM, Gary Gregory garydgreg...@gmail.com wrote: I'm all Java 7 with some 8 experiments. Gary On Mon, Sep 8, 2014 at 9:46 AM, Matt Sicker boa...@gmail.com wrote: I've been using version 2 in Java 1.6-1.8, but hopefully we'll be all 1.7+ within the next few months. Personally, I also keep track of 1.9 development, but not a whole lot has changed yet. On Monday, 8 September 2014, Gary Gregory garydgreg...@gmail.com wrote: Curious: What version of Java do you use with Log4j 1? What version of Java do you use with Log4j 2? Thank you, Gary -- E-Mail: garydgreg...@gmail.com javascript:; | ggreg...@apache.org javascript:; Java Persistence with Hibernate, Second Edition http://www.manning.com/bauer3/ JUnit in Action, Second Edition http://www.manning.com/tahchiev/ Spring Batch in Action http://www.manning.com/templier/ Blog: http://garygregory.wordpress.com Home: http://garygregory.com/ Tweet! http://twitter.com/GaryGregory -- Matt Sicker boa...@gmail.com -- E-Mail: garydgreg...@gmail.com | ggreg...@apache.org Java Persistence with Hibernate, Second Edition http://www.manning.com/bauer3/ JUnit in Action, Second Edition http://www.manning.com/tahchiev/ Spring Batch in Action http://www.manning.com/templier/ Blog: http://garygregory.wordpress.com Home: http://garygregory.com/ Tweet! http://twitter.com/GaryGregory
Logging requirement for PCI (payment card industry)
Hello list! For PCI requirement 10.2.6 (Initialization, stopping, or pausing of the audit logs) [1], I'm wondering what the best solution would be from your point of view? The PCI requirement are detailed further in the spec: Verify the following are logged: - Initialization of audit logs - Stopping or pausing of audit logs Turning the audit logs off (or pausing them) prior to performing illicit activities is a common practice for malicious users wishing to avoid detection. Initialization of audit logs could indicate that the log function was disabled by a user to hide their actions. The PCI auditor told us, it's enoght if the application logs when it's started and when it's stopped. [1] https://www.pcisecuritystandards.org/documents/PCI_DSS_v3.pdf Thanks in advance, Christian - Software Integration Specialist Apache Member V.P. Apache Camel | Apache Camel PMC Member | Apache Camel committer Apache Incubator PMC Member
Re: [survey] What version of Java do you use?
Currently a mixture of 6 and 7 at work. Slowly moving to a mixture of 7 and 8, but there's no timeline for that. Sent from my iPhone On 2014/09/08, at 21:46, Gary Gregory garydgreg...@gmail.com wrote: Curious: What version of Java do you use with Log4j 1? What version of Java do you use with Log4j 2? Thank you, Gary -- E-Mail: garydgreg...@gmail.com | ggreg...@apache.org Java Persistence with Hibernate, Second Edition http://www.manning.com/bauer3/ JUnit in Action, Second Edition http://www.manning.com/tahchiev/ Spring Batch in Action http://www.manning.com/templier/ Blog: http://garygregory.wordpress.com Home: http://garygregory.com/ Tweet! http://twitter.com/GaryGregory - To unsubscribe, e-mail: log4j-user-unsubscr...@logging.apache.org For additional commands, e-mail: log4j-user-h...@logging.apache.org
Re: Logging requirement for PCI (payment card industry)
Christian, I started work on Log4j 2 primarily for use by my employer at the time, who performs internet banking activities. As such, losing audit events is not acceptable in that environment. I am not really clear on what you are asking. If you don’t specify a monitorInterval on your configuration then you will not be able to reconfigure logging during execution, which sounds like what you are wanting. If you want a start and stop message one way to do that is to specify a start and stop message in the header and footer elements of the PatternLayout. If you are running in a servlet container you can also use a ServletContextListener to do that. Ralph On Sep 8, 2014, at 8:22 AM, Christian Müller christian.muel...@gmail.com wrote: Hello list! For PCI requirement 10.2.6 (Initialization, stopping, or pausing of the audit logs) [1], I'm wondering what the best solution would be from your point of view? The PCI requirement are detailed further in the spec: Verify the following are logged: - Initialization of audit logs - Stopping or pausing of audit logs Turning the audit logs off (or pausing them) prior to performing illicit activities is a common practice for malicious users wishing to avoid detection. Initialization of audit logs could indicate that the log function was disabled by a user to hide their actions. The PCI auditor told us, it's enoght if the application logs when it's started and when it's stopped. [1] https://www.pcisecuritystandards.org/documents/PCI_DSS_v3.pdf Thanks in advance, Christian - Software Integration Specialist Apache Member V.P. Apache Camel | Apache Camel PMC Member | Apache Camel committer Apache Incubator PMC Member - To unsubscribe, e-mail: log4j-user-unsubscr...@logging.apache.org For additional commands, e-mail: log4j-user-h...@logging.apache.org
Re: Logging requirement for PCI (payment card industry)
How secure does it need to be? Because there are usually ways around Java security (hence all the security patches). Oftentimes, a misconfigured policy file is enough to let the house of cards come tumbling down! On 8 September 2014 18:36, Ralph Goers ralph.go...@dslextreme.com wrote: Christian, I started work on Log4j 2 primarily for use by my employer at the time, who performs internet banking activities. As such, losing audit events is not acceptable in that environment. I am not really clear on what you are asking. If you don’t specify a monitorInterval on your configuration then you will not be able to reconfigure logging during execution, which sounds like what you are wanting. If you want a start and stop message one way to do that is to specify a start and stop message in the header and footer elements of the PatternLayout. If you are running in a servlet container you can also use a ServletContextListener to do that. Ralph On Sep 8, 2014, at 8:22 AM, Christian Müller christian.muel...@gmail.com wrote: Hello list! For PCI requirement 10.2.6 (Initialization, stopping, or pausing of the audit logs) [1], I'm wondering what the best solution would be from your point of view? The PCI requirement are detailed further in the spec: Verify the following are logged: - Initialization of audit logs - Stopping or pausing of audit logs Turning the audit logs off (or pausing them) prior to performing illicit activities is a common practice for malicious users wishing to avoid detection. Initialization of audit logs could indicate that the log function was disabled by a user to hide their actions. The PCI auditor told us, it's enoght if the application logs when it's started and when it's stopped. [1] https://www.pcisecuritystandards.org/documents/PCI_DSS_v3.pdf Thanks in advance, Christian - Software Integration Specialist Apache Member V.P. Apache Camel | Apache Camel PMC Member | Apache Camel committer Apache Incubator PMC Member - To unsubscribe, e-mail: log4j-user-unsubscr...@logging.apache.org For additional commands, e-mail: log4j-user-h...@logging.apache.org -- Matt Sicker boa...@gmail.com
Re: Logging requirement for PCI (payment card industry)
On that note, actually, I've been trying to slowly make Log4j not require higher security permissions. A lot of stuff would still work just fine in a highly restricted environment (e.g., an applet), but we hadn't really been checking permissions and providing fallbacks everywhere. Then again, that just might be due to the fact that in order to get any sort of plugin system working in Java (without something like OSGi), you need ClassLoaders, and the getClassLoader runtime permission can really open up a can of worms security-wise. On 8 September 2014 18:41, Matt Sicker boa...@gmail.com wrote: How secure does it need to be? Because there are usually ways around Java security (hence all the security patches). Oftentimes, a misconfigured policy file is enough to let the house of cards come tumbling down! On 8 September 2014 18:36, Ralph Goers ralph.go...@dslextreme.com wrote: Christian, I started work on Log4j 2 primarily for use by my employer at the time, who performs internet banking activities. As such, losing audit events is not acceptable in that environment. I am not really clear on what you are asking. If you don’t specify a monitorInterval on your configuration then you will not be able to reconfigure logging during execution, which sounds like what you are wanting. If you want a start and stop message one way to do that is to specify a start and stop message in the header and footer elements of the PatternLayout. If you are running in a servlet container you can also use a ServletContextListener to do that. Ralph On Sep 8, 2014, at 8:22 AM, Christian Müller christian.muel...@gmail.com wrote: Hello list! For PCI requirement 10.2.6 (Initialization, stopping, or pausing of the audit logs) [1], I'm wondering what the best solution would be from your point of view? The PCI requirement are detailed further in the spec: Verify the following are logged: - Initialization of audit logs - Stopping or pausing of audit logs Turning the audit logs off (or pausing them) prior to performing illicit activities is a common practice for malicious users wishing to avoid detection. Initialization of audit logs could indicate that the log function was disabled by a user to hide their actions. The PCI auditor told us, it's enoght if the application logs when it's started and when it's stopped. [1] https://www.pcisecuritystandards.org/documents/PCI_DSS_v3.pdf Thanks in advance, Christian - Software Integration Specialist Apache Member V.P. Apache Camel | Apache Camel PMC Member | Apache Camel committer Apache Incubator PMC Member - To unsubscribe, e-mail: log4j-user-unsubscr...@logging.apache.org For additional commands, e-mail: log4j-user-h...@logging.apache.org -- Matt Sicker boa...@gmail.com -- Matt Sicker boa...@gmail.com
Re: [survey] What version of Java do you use?
Hi, New projects = java 7 and Log4j2 Old projects (maintenance) = java 6 and Log4j1 Best regards, Oswaldo On Sep 8, 2014, at 6:53 PM, Remko Popma remko.po...@gmail.com wrote: Currently a mixture of 6 and 7 at work. Slowly moving to a mixture of 7 and 8, but there's no timeline for that. Sent from my iPhone On 2014/09/08, at 21:46, Gary Gregory garydgreg...@gmail.com wrote: Curious: What version of Java do you use with Log4j 1? What version of Java do you use with Log4j 2? Thank you, Gary -- E-Mail: garydgreg...@gmail.com | ggreg...@apache.org Java Persistence with Hibernate, Second Edition http://www.manning.com/bauer3/ JUnit in Action, Second Edition http://www.manning.com/tahchiev/ Spring Batch in Action http://www.manning.com/templier/ Blog: http://garygregory.wordpress.com Home: http://garygregory.com/ Tweet! http://twitter.com/GaryGregory - To unsubscribe, e-mail: log4j-user-unsubscr...@logging.apache.org For additional commands, e-mail: log4j-user-h...@logging.apache.org - To unsubscribe, e-mail: log4j-user-unsubscr...@logging.apache.org For additional commands, e-mail: log4j-user-h...@logging.apache.org
