IBM Support

IBM TechNote: Configuring Custom Log4j2 for IBM MAS Optimizer

General Page

IBM MAS Optimizer now supports external Log4j2 configuration via Kubernetes ConfigMaps to meet FISMA and FIPS audit requirements. This feature allows customers to override the default logging configuration for API and Execution Service components without rebuilding application artifacts.

Overview

Starting from version 9.1.8, IBM MAS Optimizer supports external Log4j2 configuration through Kubernetes ConfigMaps. This capability ensures compliance with FISMA and FIPS audit controls by enabling flexible, secure, and auditable logging configurations.

Relevant Compliance Controls:

  • FISMA / NIST SP 800-53 AU Controls: AU-2, AU-3, AU-6, AU-8, AU-12
  • FIPS: Secure configuration integrity

Default Behavior

By default, Optimizer loads its Log4j2 configuration from a ConfigMap managed by the operator. This configuration includes correlation IDs, timestamps in UTC, and JSON output for SIEM integration.

Custom Configuration Steps

1. Create a Custom ConfigMap

apiVersion: v1
kind: ConfigMap
metadata:
  name: "custom-log4j2xml"
  namespace: "mas-<instanceId>-optimizer"
  labels:
    app.kubernetes.io/instance: "<instanceId>"
    app.kubernetes.io/managed-by: "ibm-mas-optimizer"
    app.kubernetes.io/name: ibm-mas-optimizer
    mas.ibm.com/applicationId: "optimizer"
    mas.ibm.com/instanceId: "<instanceId>"
data:
  log4j2.xml: |-
    <?xml version="1.0" encoding="UTF-8"?>
      <Configuration status="WARN" monitorInterval="30">
          <Appenders>
              <Console name="Console" target="SYSTEM_OUT">
                  <PatternLayout pattern="%d{HH:mm:ss} %-5level %logger{36} - %msg%n"/>
              </Console>
          </Appenders>
          <Loggers>
              <Root level="info">
                  <AppenderRef ref="Console"/>
              </Root>
          </Loggers>
      </Configuration>
 
Note: Replace <instanceId> with your actual instanceId
 
2. Update the OptimizerWorkspace CR
 
# CR definition...

  spec:
    api:
      log4j2ConfigMap: custom-log4j2xml
    es:
      log4j2ConfigMap: custom-log4j2xml
...
 
Note: You can use different ConfigMaps for api and es if you want.

How It Works

  • The operator mounts the specified ConfigMap into the Pod at /opt/was/liberty/wlp/usr/shared/resources/log4j2.xml.
  • JVM options are updated to use -Dlog4j.configurationFile=/opt/was/liberty/wlp/usr/shared/resources/log4j2.xml.
  • If no custom ConfigMap is provided, the default configuration is used.

Compliance Benefits

  • AU-12: Audit generation through consistent logging
  • AU-2 & AU-3: Customizable event selection and record content
  • AU-8: Accurate timestamp configuration
  • AU-6: SIEM/SOC integration for correlation and analysis
  • FIPS: Secure configuration integrity

Additional Notes

  • Validate your custom log4j2.xml syntax before applying.
  • Ensure your ConfigMap includes all required fields for compliance.
  • For SIEM integration, consider using JSON appenders or structured layouts.


 

 

[{"Type":"MASTER","Line of Business":{"code":"LOB59","label":"Sustainability Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSJ5IPE","label":"IBM Maximo Scheduler Optimization"},"ARM Category":[{"code":"a8mKe000000CaY3IAK","label":"Maximo Application Suite-\u003EMAS Applications-\u003EOptimizer"}],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":""}]

Document Information

Modified date:
26 January 2026

UID

ibm17256006

Page Feedback