In a project's pom.xml
I am seeing a dependency like below
<dependency>
<groupId>org.slf4j</groupId>
<artifactId>slf4j-api</artifactId>
<version>1.7.5</version>
</dependency>
<dependency>
<groupId>org.slf4j</groupId>
<artifactId>slf4j-log4j12</artifactId>
<version>1.7.5</version>
</dependency>
<dependency>
<groupId>log4j</groupId>
<artifactId>log4j</artifactId>
<version>1.2.17</version>
</dependency>
Can someone let me know what is the difference between slf4j-log4j12
& log4j
?
Comparison SLF4J and Log4j Unlike log4j, SLF4J (Simple Logging Facade for Java) is not an implementation of logging framework, it is an abstraction for all those logging frameworks in Java similar to log4J. Therefore, you cannot compare both. However, it is always difficult to prefer one between the two.
The SLF4J API is just an API which lets message data go through. As such, using log4j 2. x, even via SLF4J does not mitigate the vulnerability.
slf4j-log4j12 provides a bridge between SLF4J and Log4j 1.2 so that SLF4J knows about how to log using Log4j. You are using Log4j 1.2. That version's binding it is maintained by the SLF4J project. Here is a summary from the SLF4J docs: SLF4J supports various logging frameworks.
log4j-over-slf4j. SLF4J ship with a module called log4j-over-slf4j. It allows log4j users to migrate existing applications to SLF4J without changing a single line of code but simply by replacing the log4j. jar file with log4j-over-slf4j.
Log4j 1.2
slf4j-log4j12
provides a bridge between SLF4J and Log4j 1.2 so that SLF4J knows about how to log using Log4j.
You are using Log4j 1.2. That version's binding it is maintained by the SLF4J project. Here is a summary from the SLF4J docs:
SLF4J supports various logging frameworks. The SLF4J distribution ships with several jar files referred to as "SLF4J bindings", with each binding corresponding to a supported framework.
slf4j-log4j12-1.7.28.jar
Binding for log4j version 1.2, a widely used logging framework. You also need to place log4j.jar on your class path.
Log4j 2
If you are using Log4j 2 or later, you will need a different binding JAR than slf4j-log4j12
. That binding is maintained by the Log4j project. According to the Log4j docs:
The Log4j 2 SLF4J Binding allows applications coded to the SLF4J API to use Log4j 2 as the implementation.
You must provide both dependencies if you want SLF4J to route logging to Log4j. Again, from the Log4j 2 docs:
Simply include the Log4j 2 SLF4J Binding jar along with the Log4j 2 jars and SLF4J API jar to cause all SLF4J logging to be handled by Log4j 2.
To summarize:
<dependency> <!--Facade for logging systems-->
<groupId>org.slf4j</groupId>
<artifactId>slf4j-api</artifactId>
<version>1.7.25</version>
</dependency>
<dependency> <!--Log4j 2 implementation for slf4j-->
<groupId>org.apache.logging.log4j</groupId>
<artifactId>log4j-slf4j-impl</artifactId>
<version>2.12.0</version>
</dependency>
In addition make sure that you are using a log4j2
properties file. The mistake of using 'log4j.xml' did cost me quite some time
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With