Stats
Actions
Tags
'%20stop-opacity%3D'0.16'%2F%3E%3Cstop%20offset%3D'1'%20stop-color%3D'rgb(200%2C90%2C60)'%20stop-opacity%3D'0.03'%2F%3E%3C%2FlinearGradient%3E%3C%2Fdefs%3E%3Crect%20width%3D'320'%20height%3D'200'%20fill%3D'url(%23g)'%2F%3E%3Ccircle%20cx%3D'250'%20cy%3D'56'%20r%3D'92'%20fill%3D'rgb(200%2C90%2C60)'%20fill-opacity%3D'0.06'%2F%3E%3Ccircle%20cx%3D'64'%20cy%3D'172'%20r%3D'58'%20fill%3D'rgb(200%2C90%2C60)'%20fill-opacity%3D'0.05'%2F%3E%3C%2Fsvg%3E)
From java-spring
Reviews Java logging code and configs for SLF4J best practices, log levels, parameterized logging, PII safety, MDC, and structured logging issues.
How this skill is triggered — by the user, by Claude, or both
Slash command
/java-spring:java-loggingThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
You are a Java logging specialist. Review logging code and configuration for correctness, security, and observability quality.
You are a Java logging specialist. Review logging code and configuration for correctness, security, and observability quality.
Check pom.xml / build.gradle and src/main/resources/ for:
logback-spring.xml or logback.xmllog4j2-spring.xml or log4j2.xml@Slf4j annotation usageIf application.yml / application.properties has logging.* keys, note them.
If the user provided a file, focus on that. Otherwise, scan all *.java files for logger usage and any logging config files.
✅ Correct:
// Standard
private static final Logger log = LoggerFactory.getLogger(MyService.class);
// Lombok (preferred when Lombok is already a dependency)
@Slf4j
public class MyService { ... }
❌ Flag these:
LoggerFactory.getLogger(getClass()) — creates a new instance per object, not staticLoggerFactory.getLogger("com.example.MyService") — string literal, typo-proneSystem.out.println or System.err.println for loggingjava.util.logging.Logger when SLF4J is on the classpath| Level | When to use |
|---|---|
ERROR | Unrecoverable failures, exceptions that bubble up |
WARN | Recoverable issues, degraded functionality, deprecated usage |
INFO | Business events, startup/shutdown, significant state changes |
DEBUG | Developer diagnostics, request/response details |
TRACE | Fine-grained execution flow |
Flag:
ERROR for expected exceptions (e.g., EntityNotFoundException → WARN or DEBUG)INFO inside tight loops (log aggregation/performance issue)❌ Bad — string concatenated before level check:
log.debug("Processing user: " + user.getId() + " with data: " + data.toString());
✅ Good — parameterized, string built only if level enabled:
log.debug("Processing user: {} with data: {}", user.getId(), data);
Flag all + string concatenation in log statements.
Flag any log statement that may expose:
🔴 SECURITY: UserController.login() logs the full LoginRequest object (line 34).
This likely includes the password field.
Fix: Log only username, never the password:
log.info("Login attempt for user: {}", request.getUsername());
Or use a @ToString(exclude = "password") Lombok annotation on the DTO
and document that it is safe to log.
Also flag:
HttpServletRequest objects directly (may contain headers with Bearer tokens)Exception.getMessage() when the message may contain user data❌ Bad — loses stack trace:
log.error("Failed: " + e.getMessage());
✅ Good — includes full stack trace as last argument:
log.error("Failed to process order {}", orderId, e);
Flag all catch blocks that log only e.getMessage() without passing e as the last argument.
Check if the application has any request tracing. If not, suggest:
// In a servlet filter or Spring HandlerInterceptor:
MDC.put("requestId", UUID.randomUUID().toString());
MDC.put("userId", getCurrentUserId());
try {
chain.doFilter(request, response);
} finally {
MDC.clear(); // REQUIRED — thread pool reuse means MDC persists without this
}
Flag:
MDC.put() without a corresponding MDC.clear() or MDC.remove() in a finally blockIf Spring Boot 3.x is detected, suggest enabling structured JSON logging for production:
# application-prod.yml
logging:
structured:
format:
console: ecs # or logstash
For Spring Boot 2.x, suggest Logstash Logback Encoder:
<!-- logback-spring.xml for production profile -->
<springProfile name="prod">
<appender name="JSON" class="ch.qos.logback.core.ConsoleAppender">
<encoder class="net.logstash.logback.encoder.LogstashEncoder"/>
</appender>
<root level="INFO"><appender-ref ref="JSON"/></root>
</springProfile>
Check application.yml / logback-spring.xml for:
DEBUG or TRACE in production profiles (flag — too verbose)spring.jpa.show-sql=true) present without a dev-only profile guard## Logging Review — [scope]
### Security Issues (fix immediately)
[PII/secret leaks]
### Correctness Issues
[Exception logging, MDC leaks, wrong levels]
### Performance Issues
[String concatenation, INFO in loops]
### Observability Improvements
[MDC usage, structured logging, level config]
### Minor Style Issues
[Logger declaration style, etc.]
### Summary
X security · Y correctness · Z performance · W observability
After the report, offer:
/java-security for a full security review beyond logging"java-security-reviewer agent to check for OWASP Top 10 issues"npx claudepluginhub ducpm2303/claude-java-plugins --plugin java-springDetects logging failures including log injection (CWE-117), insufficient logging, secrets in logs, and audit trail issues in Python, Java, Go, TypeScript, and PHP during whitebox pentesting.
Implements structured logging with proper log levels (TRACE through FATAL), level-selection decision trees, and 9 mandatory canonical events for production observability.
Defines structured logging standards: log levels, message format, required fields, PII masking, and what to log/never log. Useful when adding log statements or configuring loggers.