Where can I find some good examples on
1) How to configure Enterprise Library Exception Handling application blocks and
2) How to Log an exception error messages to a text file
(I am using VS2008 asp.net3.5, C# to develop a web application
and uses Enterprise library 4.1 for Exception Handling and Error logging )
Thank you all in advance
Take a look at the hands-on labs for Entlib 4.1. They include lots of examples on how to use the blocks, including the exception block.
As mentioned, The Hands on Labs are a good place to start. You could also take a look at the Quick Starts. When you install the source code you have the option of installing the Quick Starts. There is an ExceptionHandlingWithLoggingQuickStart project there that you would probably find useful.
Related
Due to the recent problems with log4j I was checking all my code etc..
While doing so i discovered two files named
"slf4j-log4j12-1.7.5.jar" and "log4j-1.2.17.jar"
to find under
"...\Microsoft Visual Studio\2019\Professional\Common7\IDE\CommonExtensions\Microsoft\SSIS\150\Extensions\Common\Jars"
Since we are also developing SSIS packages we kinda rely on this extension.
Sadly I was not able to find anything about SSIS in context with log4j. IMO it's also a bit dubious that the version of the log4j seems to be 1.x, which support ended in 2015.
Are there any known fixes/updates?
This is not a problem.
In what way those .jar file can be exploited to trig a privilege escalation or software evasion?
The fact that Visual Studio is using old libraries doesn't shock me at all. Large companies are use to rely on third party library and then they are usually forbidden in the corner during years.
EDIT:
You question was somehow interesting and I needed to dig further.
Apparently this 0-day has been around since March, so it means 9 month ago. There is no evidence of mass exploitation but that doesn't mean that it hasn't been used in the past months.
In order to use it:
[...] an attacker only needs to get the system to log a strategically
crafted string of code. From there they can load arbitrary code on the
targeted server and install malware or launch other attacks. Notably,
hackers can introduce the snippet in seemingly benign ways, like by
sending the string in an email or setting it as an account username.
This means that hypothetically you can exploit the vulnerability through SSIS in this scenario:
Create an SSIS package that ask for an input to the client user
The package must use log4j for logging
The user enter the malicious crafted string of code
...then yes in this case an SSIS package could be exploited.
I will try it out in my spare time and I will let you know.
EDIT 2:
After extensive research I can confirm you that this is not a problem because only version Log4j 2.X are impacted:
Mitigation
Log4j 1.x mitigation: Log4j 1.x is not impacted by this vulnerability.
Log4j 2.x mitigation: Implement one of the mitigation techniques
below.
Use log4j-finder developed by FOX IT to enumerate vulnerable log4j files on your machines.
Microsoft have now removed the dependency
There is a new version (3.16) of the SSIS tools for VS2019 which removes the dependency for log4j.
Here's the download link:
https://marketplace.visualstudio.com/items?itemName=SSIS.SqlServerIntegrationServicesProjects
Version 3.16 Upgrade Notes
Reading this today, and probably embarking on a Xamarin solution very soon (the other possibility is "going native" with just Android, using Android Studio), I got to wondering:
Can ELMAH be used in Xamarin solutions?
And, in fact, if the road less taken (Android Studio) is chosen, what tool is there for Android/Java projects that that most closely resembles ELMAH's advantages?
It does:
Although the Elmah.IO NuGet's latest release doesn't support
Xamarin.Forms cross-platform logging, I have used it in my
Android/iOS/UWP projects' exception handling separately by following instructions here.
Here you can find out descriptions about the
pre-release elmah.io for Xamarin and Xamarin.Forms.
No. ELMAH is very specifically targeted for ASP.NET.
Error/crash logging solutions for Xamarin include Raygun, Crashlytics, and TestFlight.
I am trying to profile my app to see where I can tweak memory management and speed. I have read into Garbage collection and I am trying to use
GC::Profiler.enable
In my app. However when I call this in Jruby I am getting a
org.jruby.exceptions.RaiseException: (NameError) uninitialized
I know that the garbage collection is done in the JVM on Jruby - so this might be why it is not initialized Which makes sense, what is the alternative to use in Jruby?
That's a MRI specific API - there's not an API equivalent for JRuby probably due the way the JVM works (there are multiple GC strategies with most VMs and there's no consistent API to work with the GC, even a System.gc() call does not necessary trigger garbage-collection immediately).
But there's a standart monitoring API (called MX) available for Java applications and since your JRuby app is a Java app you can use those, of course you might need to understand some of the internals e.g. how your ruby classes are seen by the JVM, but it ain't that hard.
Try starting here: http://www.engineyard.com/blog/2010/monitoring-the-jvm-heap-with-jruby/
Here's a summary of Java tools available you can use with JRuby as well: http://blog.headius.com/2010/07/browsing-memory-jruby-way.html
Don't forget to check the wiki as well, e.g. there's a page on profiling object allocations:
https://github.com/jruby/jruby/wiki/Profiling-Object-Allocations
I often find the quote "InstallUtil.exe" is an ugly pattern or "Don't use InstallUtil.exe" and that I should use native WIX or Installation package patterns and I still don't understood why.
I stepped away from using InstallUtil to install a .NET service as I finally learnt that writing registry keys for such an action should be an un-install-able action - and I've come to terms with this as correct.
As I've been working through my WIX installer for a relatively complex product, I have found myself in need of creating or updating SQL Server databases, creating or updating IIS Applications and finally updating or creating configuration files.
Each of my components (features) are optional, but they all share the same configuration file. As my product uses unity, its important to note that this library contains strong support for reading/updating/removing components from the Unity Configuration block, therefore it seems fairly smart to me that I should take advantages of these blocks via Installation Components (i.e. InstallUtil) to create or update my configuration file at installation time.
Just to be clear here, my installer does not natively contain a configuration file for my application: at installation time, the installer has no idea as to the shape of it as its based on the features selected. Surely I should be embedding this knowledge into each of the modules that are to be deployed and not in the remit of the installer which is now a completely independent project? Wouldn't this break O-O principals even if we are talking about installation?
I'd really appreciate some guidance as to whether this is good practise or not? Am I reading 'InstallUtil' is bad for installing services, or is it that using 'InstallUtil' is bad full-stop? If so, what are my options for smart updating of configuration files?
The main reason for avoiding InstallUtil is that it runs outside of the installation transaction, so Windows Installer cannot keep track of what it's done.
I have used InstallUtil on a few occasions, when I just couldn't get Wix to do what I needed and didn't have time to write a custom action. In this case I called the InstallUtilLib version as I feel this is a cleaner approach.
I used the this blog as a guide as to how to achieve this.
I would want to learn about MS Entlib 5.0. Frankly I have no idea what it is. Please provide me the links to start exploring. Then I Would have to evaluate whether the following requirements can be met using MS Entlib 5.0
1.Policy based exception handling & logging into both file and DB
2.Capability to enable detailed logging through trace/debug.
3Capability to overwrite business exception raised from stored proc or BO with a localized exception message for UI display
Please provide your valuable inputs on the above requirements.
Thanks in Advance,
Manasa
Manasa, EntLib can help with all 3 scenarios you inquired about.
EntLib is a collection of pluggable application blocks that address cross-cutting concerns, such as logging, exception management, data access, data validation etc. EntLib is configuration-driven (supporting both external configuration sources and programmatic config via fluent interface). It's a mature library which is currently in its 5th release and is built by Microsoft patterns & practices group.
I recommend you start with the Enterprise Library Developer's Guide, in particular Chapters 1, 3 and 4. Then proceed with the Hands-On Labs. Based on your requirements, you would want to explore the Logging and Exception Handling set of exercises.
Additional resources can be found at:
MSDN EntLib Dev Center is the home page where all final releases and documentation can be
found.
EntLib Community Site - includes preview releases, ongoing work, community forum, issue database and other useful resources.