Background

The default log level of our applications is DEBUG because we aim to separate informative logs from diagnostic logs.

Recently, we received a vulnerability warning from commons-configuration2, prompting us to update the version. After the update, the application runs fine; however, the size of our log has grown from hundreds of kilobytes to a few gigabytes.

Investigation

The update of commons-configuration2 also upgraded commons-logging to version 1.3.0, which includes log4j-jcl. Previously, log4j-jcl was a standalone dependency. Now, all dependencies in our application (mainly commons-beanutils) are capable of writing logs through log4j loggers.

Solution

We modified log4j2.xml to suppress the excessive logging by package. In the long term, we may need to introduce a custom log level between INFO and DEBUG as our default log level; and have a fine grained logging configuration.