Please, not JSON output by default. Gary
On Tue, Oct 3, 2023, 12:57 PM Ralph Goers <ralph.go...@dslextreme.com> wrote: > Are you just talking about changing the current default configuration? Or > are you envisioning having more than one somewhow? > > If this is just about changing the current default configuration then I > have some concerns: > 1. It always has to work. > 2. It cannot rely on optional components. JsonTemplateLayout is not in > core so it cannot be included in the default. However, we could detect if > it is available and use it if it is. > > Changing from PatternLayout to JsonTemplateLayout that only makes sense if > you have tools to interpret the JSON. Looking at the raw JSON is painful. > I’ve done it. > > Finally, my hope is that no one is using the default configuration. I > can’t really think of any application that should be using it. However, we > could create multiple defaults tailored to specific application types. > > Ralph > > > On Oct 3, 2023, at 9:35 AM, Matt Sicker <m...@musigma.org> wrote: > > > > I’ve had this idea for many years now, and as we get closer to 3.0, it > seems like it’s time to consider the details. We can change the default > configuration in 3.0 without being as surprising as any other version. I > think we could use this as an opportunity to demonstrate some best > practices and recommendations. For example, we could switch from > PatternLayout to JsonTemplateLayout by default to help prevent common > vulnerabilities related to log message forging (like putting a newline or > similar and faking the log output in the following line). Then there’s an > option related to direct console writing that we have disabled by default > despite being benign. There are probably other settings I haven’t > considered at the moment. > > > > So what do you think? Any suggestions for the default configuration? > >
