Upgrading the Log4j™2 logging configuration for IAM 8.0

Airlock IAM uses Log4j to create log messages for IAM. Up to Airlock IAM 7.7, Log4j WebLookups have been used to include the name of the logging IAM module (e.g. Adminapp or Transaction Approval) in the log messages.

With Airlock IAM 8.0 and later, Log4j WebLookups are no longer supported by Log4j. As a replacement, the IAM module name is now part of the Log4j configuration files.

When migrating the IAM configuration to 8.0, the upgrade process can automatically migrate the Log4j configuration files in most cases. If the logging configuration is customized, the migration may fail or be incomplete and has to be fixed manually.

This article describes how to check if the migration has been successful and what to do if the automatic migration fails.

0. Check the migration outcome as follows:
1. Check if the Log4j configuration files still contain WebLookups, i.e. ${web:initParam.CONTEXT_ID}. Replace them with the ${applicationName} property lines in the Log4j configuration files as described in this article.
2. Verify that environment variables do not contain WebLookups.
3. Start Airlock IAM and check in the log directory that all files are present and properly named.
4. Verify that logging after upgrading works as expected.
• Logging only shows the corresponding IAM module name in the loglines if the Log4j configuration files have been migrated properly.
• When using environment variables, ensure the migrated Log4j configuration files are the ones in charge of logging.

By default, for each Airlock IAM module, a dedicated *.xml configuration file is available under .../instances/auth/log4j/.

• If IAM does not start up, check and correct the Log4j 2 configuration files as in the following example.
• Ensure that the migrated configuration files are used for logging if environment variables are set for IAM startup.

Example:

<?xml version="1.0" encoding="UTF-8"?>

<Configuration name="Loginapp Log4j 2 Configuration" monitorInterval="60">

	<Properties>
		<Property name="applicationName" value="loginapp"/>
		... 	
	</Properties>
        ...
  </Configuration>

The example shows the content of a properly migrated .../log4j/loginapp.xml file with the new line <Property name="applicationName" value="loginapp"/> for the loginapp module. It defines the applicationName to have the value loginapp. Thus, ${applicationName} can be used in log patterns to refer to the module name.

Ensure each IAM module's Log4j configuration file contains the Property name tag with the corresponding applicationName value:

If the IAM instance is started with environment variables altering the location of logging configuration files (e.g. by overriding instance property iam.loginapp.log4j.configs) set the same environment variables to run the upgrade command. This allows the upgrade command to migrate the files that are used to start IAM after the upgrade.

• Internal links:
• Upgrade Airlock IAM
• Log4j 2 configuration files