Tomcat Integration
This page describes Tomcat-specific configuration options and behavior.
How It Works
When using Tomcat as the embedded server, the starter registers a TomcatValve that intercepts all HTTP requests and responses.
Tomcat-Specific Properties
logback:
access:
tomcat:
# Auto-detected from RemoteIpValve when not set
request-attributes-enabled: trueRequest Attributes
When request-attributes-enabled is true, the following Tomcat request attributes are available:
| Attribute | Description |
|---|---|
org.apache.catalina.AccessLog.RemoteAddr | Client IP address |
org.apache.catalina.AccessLog.RemoteHost | Client hostname |
org.apache.catalina.AccessLog.Protocol | HTTP protocol version |
org.apache.catalina.AccessLog.ServerName | Server name |
org.apache.catalina.AccessLog.ServerPort | Server port |
These attributes are useful when behind a reverse proxy.
Pattern Variables
For standard pattern variables, see Getting Started — Pattern Variables.
In addition to the standard variables, Tomcat supports all request attributes set by RemoteIpValve (e.g., %{org.apache.catalina.AccessLog.RemoteAddr}r). When request-attributes-enabled is true, these attributes reflect the real client information from behind a reverse proxy.
Elapsed Time
The %D and %T pattern variables report the request processing time. When Tomcat provides this value directly (via the AccessLog.log(request, response, time) contract in nanoseconds), the starter converts it to milliseconds. If the value is not available, the starter computes it from the request start time.
Behind a Reverse Proxy
When running behind a proxy (nginx, Apache, load balancer), configure the RemoteIpValve to get the real client IP:
server:
tomcat:
remoteip:
remote-ip-header: X-Forwarded-For
protocol-header: X-Forwarded-ProtoThe access log will then show the real client IP instead of the proxy's IP.
Local Port Strategy
Control which port is logged:
logback:
access:
local-port-strategy: server # or 'local'server: Use the server port (e.g., 8080)local: Use the local connection port
Spring Security Integration
The starter captures authenticated usernames automatically when Spring Security is on the classpath (Servlet applications only):
<pattern>%h %l %u [%t] "%r" %s %b</pattern>The %u variable will show:
- The authenticated username for authenticated requests
-for anonymous requests
Note: This applies to Servlet-based applications (Spring MVC). For reactive applications (Spring WebFlux on Tomcat),
%ushows-.
Example Configuration
Complete example for a production Tomcat setup:
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<springProperty name="appName" source="spring.application.name"
defaultValue="app" scope="context"/>
<appender name="file" class="ch.qos.logback.core.rolling.RollingFileAppender">
<file>logs/access.log</file>
<rollingPolicy class="ch.qos.logback.core.rolling.TimeBasedRollingPolicy">
<fileNamePattern>logs/access.%d{yyyy-MM-dd}.log.gz</fileNamePattern>
<maxHistory>30</maxHistory>
</rollingPolicy>
<encoder>
<pattern>%h %l %u [%t] "%r" %s %b "%i{Referer}" "%i{User-Agent}" %D</pattern>
</encoder>
</appender>
<appender-ref ref="file"/>
</configuration>Application properties:
logback:
access:
tomcat:
request-attributes-enabled: true
filter:
exclude-url-patterns:
- /actuator/.*
- /health
- /favicon.icoSee Also
- Configuration Reference — Full property reference and XML configuration
- Advanced Topics — TeeFilter, URL filtering, JSON logging, and Spring Security