Added docs on routing access logs to log4j2

[himeshsiriwardana]

Purpose

$subject

Related issues:
wso2/product-is#26884

Summary by CodeRabbit

• Documentation
  • Added comprehensive guide for enabling HTTP access logging through Log4j2 framework with step-by-step configuration instructions.
  • Covers two routing approaches: dedicated rolling log files with full appender and logger configuration, and console-only output.
  • Includes customization notes for using standard Log4j2 features.

[coderabbitai]

Warning

Rate limit exceeded

@himeshsiriwardana has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 13 minutes and 40 seconds before requesting another review.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 85654d42-767f-4647-9eaf-986ae05ee40d

📥 Commits

Reviewing files that changed from the base of the PR and between 4ca94eb and e11501a.

📒 Files selected for processing (3)

• .vale/styles/WSO2-IAM/TooWordy.yml
• .vale/styles/config/vocabularies/vocab/accept.txt
• en/identity-server/6.1.0/docs/deploy/monitor/http-access-logging.md

Walkthrough

Two vocabulary entries ("appender" and "appenders") were added to Vale's accepted terms list. Concurrently, comprehensive documentation was added explaining how to configure HTTP access logging through Log4j2 in deployment, including two routing approaches: to rolling log files or console output.

Changes

Cohort / File(s)	Summary
Vocabulary Configuration .vale/styles/config/vocabularies/vocab/accept.txt	Added two new vocabulary entries: "appender" and "appenders" to the accepted terms list, expanding recognized terminology.
Documentation en/identity-server/6.1.0/docs/deploy/monitor/http-access-logging.md	Added new section documenting Log4j2-based HTTP access logging configuration, including setup steps via useLogger = true in deployment.toml and two routing approaches: dedicated rolling log file with full logger/appender configuration, and console-only routing with sample configurations.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Poem

🐰 Hop into the logs with joy and cheer,
New appenders dance, the path is clear,
Words join the vocab, docs take flight,
Log4j routes the access just right! 🪵✨

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Description check	⚠️ Warning	The PR description is incomplete and does not follow the required template structure with all necessary sections.	Complete the description by adding: a clear Purpose section (replace $subject placeholder), Related PRs section, Test environment details, and Security checks checklist with proper verification of each item.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and concisely summarizes the main change: adding documentation on routing access logs to log4j2.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

en/identity-server/6.1.0/docs/deploy/monitor/http-access-logging.md (1)

86-95: Document useLogger as a full configuration setting.

This section explains what useLogger does, but it does not explicitly state the default value or allowed values. Please add that next to the example so readers can tell whether they are enabling new behavior or overriding the default.

As per coding guidelines, "When documenting configuration, describe what the setting controls, state the default value, state constraints (type, valid range, allowed values), provide a minimal example, and explain when the user should change it."

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@en/identity-server/6.1.0/docs/deploy/monitor/http-access-logging.md` around
lines 86 - 95, The doc currently shows how to set useLogger under
[http_access_log] but doesn't document its semantics; update the text around the
example to state that useLogger is a boolean configuration (allowed values: true
| false), that its default is false (Tomcat Access Log Valve writing to
http_access.log), and that setting useLogger = true routes HTTP access logs via
the Log4j2 logger; also mention where to change it (in
<IS_HOME>/repository/conf/deployment.toml) and that corresponding
log4j2.properties must be updated to add the HTTP access log appender and logger
when enabling it.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@en/identity-server/6.1.0/docs/deploy/monitor/http-access-logging.md`:
- Around line 143-147: The docs incorrectly instruct to set the top-level Log4j2
"appenders" registry to only CARBON_CONSOLE which breaks other appenders; revert
the "appenders" list to include all required appenders (e.g., CARBON_CONSOLE,
CARBON_LOGFILE, AUDIT_LOGFILE, etc.) so appender references used by loggers
remain available, and instead configure the HTTP_ACCESS logger to reference only
CARBON_CONSOLE (update the HTTP_ACCESS logger definition to use CARBON_CONSOLE
as its sole appender) so HTTP access logs go to console without removing other
appenders from the global registry.

---

Nitpick comments:
In `@en/identity-server/6.1.0/docs/deploy/monitor/http-access-logging.md`:
- Around line 86-95: The doc currently shows how to set useLogger under
[http_access_log] but doesn't document its semantics; update the text around the
example to state that useLogger is a boolean configuration (allowed values: true
| false), that its default is false (Tomcat Access Log Valve writing to
http_access.log), and that setting useLogger = true routes HTTP access logs via
the Log4j2 logger; also mention where to change it (in
<IS_HOME>/repository/conf/deployment.toml) and that corresponding
log4j2.properties must be updated to add the HTTP access log appender and logger
when enabling it.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 122e4da6-68a6-4c99-9202-475c2149f18b

📥 Commits

Reviewing files that changed from the base of the PR and between d0ca504 and 4ca94eb.

📒 Files selected for processing (2)

• .vale/styles/config/vocabularies/vocab/accept.txt
• en/identity-server/6.1.0/docs/deploy/monitor/http-access-logging.md

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🌐 Web query:

In Apache Log4j2 properties configuration, what does the top-level appenders = ... property control, and what happens if existing appenders referenced by other loggers are omitted from that list?

💡 Result:

In a Log4j2 log4j2.properties configuration, the top-level:

appenders = A, B, C

is a comma-separated list of appender identifiers that tells Log4j which appender.<id>.* blocks belong to the configuration (this listing was required prior to Log4j 2.6, and if the list is present, Log4j will use it). [1]

If an appender is referenced by a logger (via *.appenderRef.*.ref = ...) but its identifier is omitted from appenders = ..., that appender’s properties won’t be assembled/instantiated as part of the configuration, so the reference can’t be resolved—typically producing status errors like “Unable to locate appender … for logger config …”, and the affected logger simply won’t be able to write to that missing destination. [2][3]

Sources:
[1] Apache Log4j 2 manual – Properties configuration and the appenders identifier list behavior (logging.apache.org)
[2] Apache Log4j 2 manual – Appender references are how loggers route events to appenders (logging.apache.org)
[3] Example of the “Unable to locate appender … for logger config …” failure mode (support.stardog.com)

Citations:

• 1: https://logging.apache.org/log4j/2.12.x/manual/configuration.html
• 2: https://logging.apache.org/log4j/2.x/manual/configuration.html
• 3: https://support.stardog.com/support/solutions/articles/151000177175-log4j2-xml-error-unable-to-locate-appender-x-for-logger-config-y

---

Do not set appenders to only CARBON_CONSOLE.

In Log4j2 properties configuration, appenders is the top-level registry of all available appenders. Omitting CARBON_LOGFILE, AUDIT_LOGFILE, or other appenders from this list breaks the appender references that loggers use, causing those loggers to fail with "Unable to locate appender" errors and preventing file and audit logging.

To send HTTP access logs to the console only, keep the existing appenders list unchanged and instead configure the HTTP_ACCESS logger to use only CARBON_CONSOLE.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@en/identity-server/6.1.0/docs/deploy/monitor/http-access-logging.md` around
lines 143 - 147, The docs incorrectly instruct to set the top-level Log4j2
"appenders" registry to only CARBON_CONSOLE which breaks other appenders; revert
the "appenders" list to include all required appenders (e.g., CARBON_CONSOLE,
CARBON_LOGFILE, AUDIT_LOGFILE, etc.) so appender references used by loggers
remain available, and instead configure the HTTP_ACCESS logger to reference only
CARBON_CONSOLE (update the HTTP_ACCESS logger definition to use CARBON_CONSOLE
as its sole appender) so HTTP access logs go to console without removing other
appenders from the global registry.

[ashanthamara]

@himeshsiriwardana Shall we add the doc to all the IS versions after 6.1.0 as well ?