Java Log4j 1 Log Management

You can send and manage your Java logs using Log4j version 1. We’ll show you how to setup a syslog appender to forward these to Rsyslog, which will then forward them to Loggly. We automatically parse out the timestamp, method, fully classified class name, thread, and log level from log4j. The syslog protocol does not support multiline events, so rsyslog will combine them into a single line escaped by octal characters. The advantage of using Rsyslog is that it can send TCP events without blocking your application, can optionally encrypt the data, and even queue data to add robustness to network failure. We’ve also created a log4j-syslogwriter-64k library that supports up to events up to 64k in size so long stacktraces do not get truncated. Although the library supports to send logs up to 64K, currently you can only ingest up to 32K logs to Loggly. This guide assumes you use Java Log4j version 1.2 or higher, the default log configuration and directories. For alternatives, please see the Advanced Options section.

Java Log4j Log Management Setup

  1. Configure Syslog Daemon
  2. If you haven’t already, run our automatic Configure-Syslog script below to setup rsyslog. Alternatively, you can Manually Configure Rsyslog or Syslog-ng.

    curl -O https://www.loggly.com/install/configure-linux.sh
    sudo bash configure-linux.sh -a SUBDOMAIN -u USERNAME
    

    Replace:

    • SUBDOMAIN: your account subdomain that you created when you signed up for Loggly
    • USERNAME: your Loggly username

  3. Configure Syslog Daemon for UDP Input
  4. Open rsyslog’s configuration file

    sudo vim /etc/rsyslog.conf
    

    Uncomment these lines to accept UDP messages on the default port 514.

    $ModLoad imudp
    $UDPServerRun 514
    

    Java Log4j Log

    Restart the rsyslog service so the changes take effect

    sudo service rsyslog restart
    

  5. Log4j Configuration
  6. Add Dependency in your pom.xml or Download jar file from maven

    <dependency>
      <groupId>com.github.psquickitjayant.log4jSyslogWriter64k</groupId>
      <artifactId>log4jSyslogWriter64k</artifactId>
      <version>1.0.0</version>
    </dependency>
    

    Then run maven to install

    mvn clean install
    

    Open your log4j.properties file:

    vim log4j.properties

    Configure SyslogAppender to write these messages as UDP over localhost to the syslog daemon. The daemon will forward them to Loggly. The first field in the conversion pattern is the syslog appname, in this case it’s set to java. If you are using an HTTP appender, you do not need to add an appname.

    log4j.rootLogger=INFO, SYSLOG
    
    log4j.appender.SYSLOG=com.loggly.log4j.SyslogAppender64k
    log4j.appender.SYSLOG.SyslogHost=localhost
    log4j.appender.SYSLOG.Facility=Local3
    log4j.appender.SYSLOG.Header=true
    log4j.appender.SYSLOG.layout=org.apache.log4j.EnhancedPatternLayout
    log4j.appender.SYSLOG.layout.ConversionPattern=java %d{ISO8601}{GMT} %p %t %c %M - %m%n
    

    Save the file then restart your Java application so the changes take effect.

  7. Verify Events
  8. Search Loggly for events with the java log type over the past hour. It may take a few minutes to index the event. If it doesn’t work, see the troubleshooting section below.

    logtype:java

    Click on one of the logs to show a list of Java or JSON fields (see screenshot below). If you don’t see them, please check that you are using one of our automatically parsed formats.
    log4j

  9. Next Steps

Advanced Java Log4j Log Options

  • Log4j2 – You can also send log using Java Log4j2
  • File Monitoring – You can also configure Log4j with a FileAppender, then monitor that file using Rsyslog. This gives you a local backup but doesn’t work well with multiline stacktraces.
  • CustomAppname– You can set custom appName in Log4j using following conversion pattern
    log4j.appender.SYSLOG.layout=org.apache.log4j.EnhancedPatternLayout
    log4j.appender.SYSLOG.layout.ConversionPattern= CustomAppname %d{ISO8601}{GMT} %p %t %c %M - %m%n
  • Syslog4j – The Syslog4j appender can send events up to 64k in size, but it doesn’t seem to follow the layout pattern to enable parsing.
  • logglylog4j – To send events directly to Loggly over the HTTP/S Event API, supports multiline with proper newline display
  • Java Logback – For Logback or SLF4J logging
  • Loggly Libraries Catalog – Additional libraries are added here
  • Search or post your own log4j examples, configuration, log4j tutorials, or other questions in the community forum.

Java Log4j Troubleshooting

If you don’t see any data show up in the verification step, then check for these common problems.

    Check Log4j:

  • Wait a few minutes in case indexing needs to catch up
  • Verify Log4j is working, such as by setting up a local file appender with the same format
  • Run “sudo tcpdump -i lo -A udp and port 514″ to verify UDP events are being sent to localhost
  • Check Your Syslog Daemon:

  • Please check syslog file in /var/log/syslog if message not send to loggly.
  • If log is getting truncated please check rsyslog.conf file and add $MaxMessageSize 64k if not exist.
  • Troubleshooting Rsyslog
  • Still Not Working?

  • Search or post your own questions on Java log4j and Apache log4j in the community forum.
Thanks for the feedback! We'll use it to improve our support documentation.


Top