ZMedia Purwodadi
Home backend Developer learning to code

Apache Log4j Tutorial: Everything You Need to Know

Updated: 0 min read
Table of Contents

Logging is one of those things you don’t think much about—until something breaks. Then, suddenly, logs are your best friend. If you’ve worked on Java applications, you’ve probably heard of Apache Log4j. But what exactly is it, and why does it matter?

Apache Log4j Tutorial

Maybe you’ve struggled with messy log files, had trouble debugging an issue in production, or heard about Log4Shell, the security vulnerability that shook the internet. Whatever the case, this tutorial will walk you through Apache Log4j—from installation to best practices—so you can log like a pro.

Let’s dive in.

Check out my article on Apache Camel Tutorial with Spring Boot


What is Apache Log4j?

Apache Log4j is a Java-based logging library used to track application activity. Instead of using System.out.println() all over your code (which gets messy fast), Log4j gives you a structured way to log messages, filter them, and control where they go (console, files, databases, etc.).

But here’s what makes Log4j special:

Customizable Logging Levels – Not every message is equally important. Log4j lets you categorize logs as DEBUG, INFO, WARN, ERROR, and FATAL.
Flexible Output – Send logs to the console, a file, or even remote servers.
Performance-Optimized – Unlike basic print statements, Log4j is built for high-performance applications.
Widely Used – Many enterprise applications rely on it, meaning you’re learning an industry-standard tool.

If you're new to Java, you can read our tutorial on Java: A Complete Overview for Beginners

How to Install Apache Log4j

To start using Log4j, you need to add it to your Java project. The best way? Maven or Gradle.

Using Maven

Add this to your pom.xml:

<dependencies>
    <dependency>
        <groupId>org.apache.logging.log4j</groupId>
        <artifactId>log4j-core</artifactId>
        <version>2.17.1</version>
    </dependency>
</dependencies>

Using Gradle

Add this to build.gradle:

dependencies {
    implementation 'org.apache.logging.log4j:log4j-core:2.17.1'
}

Once you add the dependency, your project is ready to use Log4j.

Basic Log4j Setup

To use Log4j, you need a configuration file. This file tells Log4j where to send logs, what format to use, and which messages to log.

Creating a Simple Log4j Configuration

Create a file named log4j2.xml inside your resources folder and add this:

<?xml version="1.0" encoding="UTF-8"?>
<Configuration status="WARN">
    <Appenders>
        <Console name="Console" target="SYSTEM_OUT">
            <PatternLayout pattern="%d{yyyy-MM-dd HH:mm:ss} [%t] %-5level %logger{36} - %msg%n" />
        </Console>
    </Appenders>
    <Loggers>
        <Root level="info">
            <AppenderRef ref="Console" />
        </Root>
    </Loggers>
</Configuration>

What’s happening here?

  • We define a Console appender to send logs to the console.
  • The PatternLayout formats logs with a timestamp, thread, log level, logger name, and message.
  • We set the default log level to INFO, meaning only INFO, WARN, ERROR, and FATAL messages will appear.

Writing Logs in Java

With Log4j configured, let’s write some logs.

Basic Logging Example

import org.apache.logging.log4j.Logger;
import org.apache.logging.log4j.LogManager;

public class LogExample {
    private static final Logger logger = LogManager.getLogger(LogExample.class);

    public static void main(String[] args) {
        logger.debug("This is a debug message.");
        logger.info("This is an info message.");
        logger.warn("This is a warning message.");
        logger.error("This is an error message.");
        logger.fatal("This is a fatal message.");
    }
}

Run this, and you’ll see something like:

2025-02-13 10:45:12 [main] INFO  LogExample - This is an info message.
2025-02-13 10:45:12 [main] WARN  LogExample - This is a warning message.
2025-02-13 10:45:12 [main] ERROR LogExample - This is an error message.
2025-02-13 10:45:12 [main] FATAL LogExample - This is a fatal message.

Notice how DEBUG messages aren’t displayed? That’s because we set the log level to INFO in log4j2.xml. If you want debug messages, change <Root level="info"> to <Root level="debug"> in the config file.

Advanced Features of Log4j

Once you have the basics down, Log4j offers powerful features to make logging even better.

1. Writing Logs to a File

Instead of printing logs to the console, you can write them to a file. Modify your log4j2.xml:

<Appenders>
    <File name="FileLogger" fileName="logs/app.log">
        <PatternLayout pattern="%d{yyyy-MM-dd HH:mm:ss} [%t] %-5level %logger{36} - %msg%n" />
    </File>
</Appenders>
<Loggers>
    <Root level="info">
        <AppenderRef ref="FileLogger" />
    </Root>
</Loggers>

Now, logs will be stored in logs/app.log.

2. Rolling Log Files

If you don’t want logs to grow endlessly, use rolling files:

<RollingFile name="RollingFileLogger" fileName="logs/app.log"
             filePattern="logs/app-%d{yyyy-MM-dd}.log.gz">
    <PatternLayout pattern="%d{yyyy-MM-dd HH:mm:ss} [%t] %-5level %logger{36} - %msg%n" />
    <Policies>
        <TimeBasedTriggeringPolicy />
    </Policies>
</RollingFile>

This creates a new log file every day and compresses old logs.

Common Log4j Mistakes & How to Avoid Them

1. Logging Sensitive Information

Never log passwords, API keys, or personal user data. If logs get leaked, that’s a security disaster.

2. Not Setting the Right Log Level

Don’t log everything as INFO. Too much noise makes logs useless. Use DEBUG for development, INFO for normal operations, and ERROR for failures.

3. Ignoring Log Rotation

If you don’t rotate logs, they’ll grow indefinitely and eat up disk space. Always configure rolling logs.

Apache Log4j Security Warning: Log4Shell

In December 2021, a vulnerability called Log4Shell (CVE-2021-44228) made headlines. It allowed attackers to execute malicious code remotely just by logging a specially crafted string.

How to Protect Your Application

Use Log4j 2.17.1 or later (older versions are vulnerable).
Disable message lookup by setting:

log4j2.formatMsgNoLookups=true

Use a firewall to block exploit attempts.

Always keep Log4j updated to the latest version to stay safe.

Final Thoughts

Apache Log4j is a powerful tool for handling logs in Java applications. With a few lines of configuration, you can structure logs, control their flow, and keep your applications running smoothly.

Have you used Log4j before? What challenges did you face? Drop a comment below—I’d love to hear your thoughts! 🚀

Post a Comment

Post a Comment