Configuring logging

Application Security uses Apache Log4j™ 2 for its logging services. The logging configuration is located in the <fortify.home>/<app_context>/conf/log4j2.xml file.

Application Security manages the log4j2.xml file and it might be overwritten during restarts or upgrades. Do not use it for permanent configuration changes.

Changes to the configuration file while Application Security is running take effect in approximately 10 seconds (as defined by the value of the monitorInterval attribute in the configuration). You cannot add a new logger definition to the configuration and set a level for it. Only changes to existing loggers are picked up dynamically.

To implement persistent logging configuration changes, set up a custom Log4j2 configuration override file. Changes to the override configuration file without a Application Security restart follow the same rules as the main configuration file as previously described. The configuration from the provided log4j2.xml and the custom Log4j2 files are merged and in case of conflicts, the override configuration file takes precedence.

To create a custom Log4j2 override configuration file:

  1. Copy the main log4j2.xml file and create an override configuration file.

  2. Make changes to the override configuration file.

    You can add new appenders or loggers and modify existing ones in the override configuration file.

    The custom override configuration file format uses the same format as the main configuration file.

  3. Set the COM_FORTIFY_SSC_LOG4J2_OVERRIDE system environment variable or the com.fortify.ssc.log4j2.override JVM system property to the absolute path for your custom Log4j2 configuration file.