How to avoid log4j output external modification

Question

I had a request to find a solution for making a log file secure from editing from the user (not root user) running the JBoss instance of an application (Linux environment)

First idea I had is to use the chattr +a from root user to allow only the appending of new raw in the log file.

But the Log4j file is configured to rotate the file each day and for this reason I suppose that I should repeat the chattr command for each file created everyday. I also not sure that the past day file in its "append only" state can be zipped from rotation.

Any suggestion or alternative way to proceed is welcomed.

Answer 1

One way is to create your own "daily rolling file appender". In a similar situation, I created a file appender based on the CustodianDailyRollingFileAppender (see for more information the answers in this question). Put your custom version in a "log4j-custom.jar" and place that in the JBoss common lib-directory. Last step is to update the log4j-configuration file to use the custom file appender.

In your custom file appender you can execute commands (1) to change the file-attributes before and after rolling log-files. Make sure to test your custom rolling file appender with "corner cases" like "there are no previous log-files": I found a couple of (easy to solve) bugs in the original custodian appender.

(1) Or use the new Java 7 POSIX file system options.