i am currently working on a java application for some network monitoring tool. In my code i am supposed to use logging a lot. Since its a network management software, the information in logs is quite useful to the user hence its compulsory to use them. But now I am bit confused with what kind of logger method i should prefer. Right now i am using Logger.lop(...//...) since with its help we are also logging the class name and method so its becoming very easy for me (developers) to debug the code and find the error. But finally I am confused should i deliver it to the end user with the same logging mechanism??? Is it any harm to let your user know what kind of class is executing currently , in which method error has occured. I have seen many times in many product in exception handling stacktrace is used so normally we get class name as well. So is there is no problem to let enduser know what your class name and method is??
- 4,190
- 10
- 49
- 75
-
@ all it might see a theoritical question but still is not inlogical – amod Sep 02 '11 at 13:28
3 Answers
log4j/logback/slf4j allow you to have different formats for different appenders. For development you can enable a console appender where you include the class name in the format, while for the end-users you can omit it (for a file appender)
- 588,226
- 146
- 1,060
- 1,140
-
i cant use any other pakage i am using logger only on the places where i want to log a message in the log file. So the main question is displaying class name in log file is ok or not?? – amod Sep 02 '11 at 13:34
-
3
Before considering the security implications of it, consider the performance. In most logging systems, getting the actual classname and method name dynamically by the logging facility requires reflection and dramatically slows down the logging - usually a synchronous operation. My guess is that in a network monitoring application, you really don't want that.
If you're hard-coding the method name into the log message (either by making it part of the message or by the category), that's a different story. As a security person, I don't consider it to be that big of a deal - if your code is in Java, it can be reversed anyhow, so your code should operate in such a way that it would be secure even if the code was given away.
All that being said, you could either use a different logging configuration for development and production, or those fine-grained messages could go in debug, trace, etc. If you're using log4j, it's generally advisable to use isDebugEnabled to wrap any logging statements which include anything dynamically-calculated as those get calculated before the logging statement determines whether it's enabled.
- 1,069
- 9
- 21
-
It appears that Log4j does use reflection... but does Logback (the default SLF4J implementation)? I believe that in JDK 1.5+, you can call `Thread.getStackTrace()` to get the stack trace elements, and from the top element, your method name -- without reflection. It seems like a decent logging system would use that facility. – Jake Toronto Oct 16 '14 at 22:41
It's worth mentioning that such logging is performance costly in Java, contrary to C++ where it is usually implemented with preprocessor. Fortunately, with log4j/logback you can switch it on and off — follow Bozho's advice.
- 10,511
- 9
- 46
- 84