franvila
diff --git a/‎etc/checkstyle-custom_checks.xml‎
Lines changed: 14 additions & 0 deletions b/‎etc/checkstyle-custom_checks.xml‎
Lines changed: 14 additions & 0 deletions
diff --git a/‎etc/checkstyle-suppressions.xml‎
Lines changed: 22 additions & 0 deletions b/‎etc/checkstyle-suppressions.xml‎
Lines changed: 22 additions & 0 deletions
diff --git a/‎kroxylicious-api/src/test/resources/log4j2-test.properties‎
Lines changed: 1 addition & 1 deletion b/‎kroxylicious-api/src/test/resources/log4j2-test.properties‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎kroxylicious-app/pom.xml‎
Lines changed: 5 additions & 0 deletions b/‎kroxylicious-app/pom.xml‎
Lines changed: 5 additions & 0 deletions
diff --git a/‎kroxylicious-app/src/main/java/io/kroxylicious/app/Kroxylicious.java‎
Lines changed: 12 additions & 9 deletions b/‎kroxylicious-app/src/main/java/io/kroxylicious/app/Kroxylicious.java‎
Lines changed: 12 additions & 9 deletions
diff --git a/‎kroxylicious-app/src/main/resources/log4j2.yaml‎
Lines changed: 19 additions & 3 deletions b/‎kroxylicious-app/src/main/resources/log4j2.yaml‎
Lines changed: 19 additions & 3 deletions
diff --git a/‎kroxylicious-app/src/test/resources/log4j2-test.properties‎
Lines changed: 1 addition & 1 deletion b/‎kroxylicious-app/src/test/resources/log4j2-test.properties‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎kroxylicious-docs/docs/_modules/monitoring/proc-proxy-setting-log-levels.adoc‎
Lines changed: 52 additions & 0 deletions b/‎kroxylicious-docs/docs/_modules/monitoring/proc-proxy-setting-log-levels.adoc‎
Lines changed: 52 additions & 0 deletions
diff --git a/‎kroxylicious-filters/kroxylicious-authorization/src/main/java/io/kroxylicious/filter/authorization/Authorization.java‎
Lines changed: 2 additions & 2 deletions b/‎kroxylicious-filters/kroxylicious-authorization/src/main/java/io/kroxylicious/filter/authorization/Authorization.java‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎kroxylicious-filters/kroxylicious-authorization/src/main/java/io/kroxylicious/filter/authorization/AuthorizationFilter.java‎
Lines changed: 41 additions & 26 deletions b/‎kroxylicious-filters/kroxylicious-authorization/src/main/java/io/kroxylicious/filter/authorization/AuthorizationFilter.java‎
Lines changed: 41 additions & 26 deletions
@@ -95,6 +95,20 @@
             <property name="classes" value="java.lang.Boolean"/>
         </module>
 
+        <!-- Enforce structured logging with addKeyValue instead of parameterized logging -->
+        <module name="RegexpSinglelineJava">
+            <property name="format" value="(LOGGER|LOG)\.(info|debug|warn|error|trace)\([^)]*\{[^\}]*\}" />
+            <property name="message" value="Use fluent API with addKeyValue() instead of parameterized logging with '{''}'. Example: LOGGER.atInfo().addKeyValue(&quot;key&quot;, value).log(&quot;message&quot;). [not required for tests]" />
+            <property name="ignoreComments" value="true" />
+        </module>
+
+        <!-- Standardize logger naming to LOGGER (not LOG) -->
+        <module name="RegexpSinglelineJava">
+            <property name="format" value="^\s*(private\s+)?static\s+final\s+Logger\s+LOG\s*=" />
+            <property name="message" value="Logger should be named LOGGER (not LOG) for consistency. [not required for tests]" />
+            <property name="ignoreComments" value="true" />
+        </module>
+
         <module name="IllegalImport">
             <!-- we shouldn't be relying on class shaded into TC for dependencies -->
             <property name="illegalPkgs" value="org.testcontainers.shaded"/>
 
@@ -23,4 +23,26 @@
 
     <suppress checks=".*"
               files="generated-sources/antlr4/.*"/>
+
+    <!-- Exclude structured logging checks from test code (src/test) -->
+    <suppress checks="RegexpSinglelineJava"
+              message="Use fluent API with addKeyValue"
+              files=".*[/\\]src[/\\]test[/\\].*"/>
+    <suppress checks="RegexpSinglelineJava"
+              message="Logger should be named LOGGER"
+              files=".*[/\\]src[/\\]test[/\\].*"/>
+
+    <!-- Exclude structured logging checks from test infrastructure modules (src/main) -->
+    <suppress checks="RegexpSinglelineJava"
+              message="Use fluent API with addKeyValue"
+              files=".*systemtests[/\\]src[/\\]main[/\\].*"/>
+    <suppress checks="RegexpSinglelineJava"
+              message="Use fluent API with addKeyValue"
+              files=".*test-support[/\\]src[/\\]main[/\\].*"/>
+    <suppress checks="RegexpSinglelineJava"
+              message="Logger should be named LOGGER"
+              files=".*systemtests[/\\]src[/\\]main[/\\].*"/>
+    <suppress checks="RegexpSinglelineJava"
+              message="Logger should be named LOGGER"
+              files=".*test-support[/\\]src[/\\]main[/\\].*"/>
 </suppressions>
@@ -12,7 +12,7 @@ appender.null.name = NullAppender
 appender.console.type = Console
 appender.console.name = STDOUT
 appender.console.layout.type = PatternLayout
-appender.console.layout.pattern = %d{yyyy-MM-dd HH:mm:ss} <%t> %-5p %c:%L - %m%n
+appender.console.layout.pattern = %d{yyyy-MM-dd HH:mm:ss} <%t> %-5p %c:%L - %m%replace{ %K{ctx}}{' $'}{}%n
 
 rootLogger.level = TRACE
 rootLogger.appenderRefs = null,console
 
@@ -90,6 +90,11 @@
             <artifactId>log4j-slf4j2-impl</artifactId>
             <scope>runtime</scope>
         </dependency>
+        <dependency>
+            <groupId>org.apache.logging.log4j</groupId>
+            <artifactId>log4j-layout-template-json</artifactId>
+            <scope>runtime</scope>
+        </dependency>
         <dependency>
             <groupId>com.lmax</groupId>
             <artifactId>disruptor</artifactId>
 
@@ -80,7 +80,9 @@ public Integer call() throws Exception {
             }
         }
         catch (Exception e) {
-            LOGGER.error("Exception on startup", e);
+            LOGGER.atError()
+                    .setCause(e)
+                    .log("Exception on startup");
             throw e;
         }
 
@@ -107,17 +109,18 @@ private static void printBannerAndVersions(Features features) {
         new BannerLogger().log();
         String[] versions = new VersionProvider().getVersion();
         for (String version : versions) {
-            LOGGER.info("{}", version);
+            LOGGER.atInfo()
+                    .addKeyValue("version", version)
+                    .log("Kroxylicious version");
         }
         features.warnings().forEach(LOGGER::warn);
         LOGGER.atInfo()
-                .setMessage("Platform: Java {}({}) running on {} {}/{}")
-                .addArgument(Runtime::version)
-                .addArgument(() -> System.getProperty("java.vendor"))
-                .addArgument(() -> System.getProperty("os.name"))
-                .addArgument(() -> System.getProperty("os.version"))
-                .addArgument(() -> System.getProperty("os.arch"))
-                .log();
+                .addKeyValue("javaVersion", Runtime::version)
+                .addKeyValue("javaVendor", () -> System.getProperty("java.vendor"))
+                .addKeyValue("osName", () -> System.getProperty("os.name"))
+                .addKeyValue("osVersion", () -> System.getProperty("os.version"))
+                .addKeyValue("osArch", () -> System.getProperty("os.arch"))
+                .log("Java Platform");
     }
 
     /**
 
@@ -10,10 +10,26 @@ Configuration:
   name: Config
   Appenders:
     Console:
+      # Pattern layout appender (text format - current default)
+      - name: STDOUT-PATTERN
+        target: SYSTEM_OUT
+        PatternLayout:
+          pattern: "%d{yyyy-MM-dd HH:mm:ss} %-5p <%t> %c{2.} - %m%replace{ %K{ctx}}{' $'}{}%n"
+      # JSON layout appender (structured JSON output)
+      - name: STDOUT-JSON
+        target: SYSTEM_OUT
+        JsonTemplateLayout:
+          eventTemplateUri: "classpath:LogstashJsonEventLayoutV1.json"
+    # Routing appender - selects between Pattern and JSON based on env var
+    Routing:
       name: STDOUT
-      target: SYSTEM_OUT
-      PatternLayout:
-        pattern: "%d{yyyy-MM-dd HH:mm:ss} %-5p <%t> %c{2.} - %m%n"
+      Routes:
+        pattern: "${env:KROXYLICIOUS_LOG_FORMAT:-text}"
+        Route:
+          - key: json
+            ref: STDOUT-JSON
+          - key: text
+            ref: STDOUT-PATTERN
   Loggers:
     Root:
       level: "${env:KROXYLICIOUS_ROOT_LOG_LEVEL:-WARN}"
 
@@ -12,7 +12,7 @@ appender.null.name = NullAppender
 appender.console.type = Console
 appender.console.name = STDOUT
 appender.console.layout.type = PatternLayout
-appender.console.layout.pattern = %d{yyyy-MM-dd HH:mm:ss} <%t> %-5p %c:%L - %m%n
+appender.console.layout.pattern = %d{yyyy-MM-dd HH:mm:ss} <%t> %-5p %c:%L - %m%replace{ %K{ctx}}{' $'}{}%n
 
 rootLogger.level = TRACE
 rootLogger.appenderRefs = null,console
 
@@ -33,3 +33,55 @@ KROXYLICIOUS_ROOT_LOG_LEVEL="DEBUG"
 ----
 
 NOTE: Setting the root log level to `DEBUG` or `TRACE` will produce very verbose logs.
+
+[id='proc-proxy-json-log-format-{context}']
+== Switching to JSON log format
+
+By default, Kroxylicious outputs logs in human-readable text format. You can switch to structured JSON output for integration with log aggregation systems.
+
+.Procedure
+
+. Set the `KROXYLICIOUS_LOG_FORMAT` environment variable:
++
+[source,bash]
+----
+export KROXYLICIOUS_LOG_FORMAT=json
+----
+
+. Start Kroxylicious:
++
+[source,bash]
+----
+bin/kroxylicious-start.sh
+----
+
+.Expected output (JSON format)
+
+[source,json]
+----
+{
+  "@version": "1",
+  "@timestamp": "2026-04-01T14:25:30.123Z",
+  "message": "Connection established",
+  "logger_name": "io.kroxylicious.proxy.internal.FilterHandler",
+  "thread_name": "kafka-request-handler-1",
+  "level": "INFO",
+  "level_value": 20000,
+  "stack_trace": null,
+  "sessionId": "abc-123",
+  "clientId": "producer-1"
+}
+----
+
+NOTE: Structured logging parameters like `sessionId` and `clientId` appear as top-level fields in JSON output.
+
+.Switching back to text format
+
+Remove the environment variable or set it to `text`:
+
+[source,bash]
+----
+unset KROXYLICIOUS_LOG_FORMAT
+# or
+export KROXYLICIOUS_LOG_FORMAT=text
+----
@@ -31,7 +31,7 @@
 @Plugin(configType = AuthorizationConfig.class)
 public class Authorization implements FilterFactory<AuthorizationConfig, Authorizer> {
 
-    private static final Logger LOG = LoggerFactory.getLogger(Authorization.class);
+    private static final Logger LOGGER = LoggerFactory.getLogger(Authorization.class);
 
     private @Nullable AuthorizerService<?> authorizerService = null;
 
@@ -40,7 +40,7 @@ public class Authorization implements FilterFactory<AuthorizationConfig, Authori
     public Authorizer initialize(FilterFactoryContext context,
                                  AuthorizationConfig authorizationConfig)
             throws PluginConfigurationException {
-        LOG.warn("Authorization is an experimental Filter not yet recommended for production environments.");
+        LOGGER.atWarn().log("Authorization is an experimental Filter not yet recommended for production environments");
         var configuration = Plugins.requireConfig(this, authorizationConfig);
         this.authorizerService = context.pluginInstance(AuthorizerService.class, configuration.authorizer());
         ((AuthorizerService) authorizerService).initialize(configuration.authorizerConfig());
 
@@ -48,7 +48,7 @@
  */
 public class AuthorizationFilter implements RequestFilter, ResponseFilter {
 
-    private static final Logger LOG = LoggerFactory.getLogger(AuthorizationFilter.class);
+    private static final Logger LOGGER = LoggerFactory.getLogger(AuthorizationFilter.class);
 
     static Map<ApiKeys, ApiEnforcement<?, ?>> apiEnforcement = new EnumMap<>(ApiKeys.class);
 
@@ -173,18 +173,28 @@ CompletionStage<AuthorizeResult> authorization(FilterContext context, List<Actio
                 actionsWithSupportedResourceTypes)
                 .thenApply(authz -> {
                     if (!authz.denied().isEmpty()) {
-                        LOG.info("DENY {} to {}", authz.denied(), authz.subject());
+                        LOGGER.atInfo()
+                                .addKeyValue("deniedActions", authz.denied())
+                                .addKeyValue("subject", authz.subject())
+                                .log("Authorization DENY decision");
                     }
                     else if (!authz.allowed().isEmpty()) {
-                        LOG.debug("ALLOW {} to {}", authz.allowed(), authz.subject());
+                        LOGGER.atDebug()
+                                .addKeyValue("allowedActions", authz.allowed())
+                                .addKeyValue("subject", authz.subject())
+                                .log("Authorization ALLOW decision");
                     }
                     else if (actions.isEmpty()) {
-                        LOG.debug("ALLOW {} no authorizable actions", authz.subject());
+                        LOGGER.atDebug()
+                                .addKeyValue("subject", authz.subject())
+                                .log("Authorization ALLOW decision with no authorizable actions");
                     }
                     if (!actionsWithUnsupportedResourceTypes.isEmpty()) {
-                        LOG.debug("ALLOW {} to {} (due to resource types not being supported by {})",
-                                actionsWithUnsupportedResourceTypes, authz.subject(),
-                                authorizer.getClass().getName());
+                        LOGGER.atDebug()
+                                .addKeyValue("unsupportedActions", actionsWithUnsupportedResourceTypes)
+                                .addKeyValue("subject", authz.subject())
+                                .addKeyValue("authorizerClass", authorizer.getClass().getName())
+                                .log("Authorization ALLOW decision for unsupported resource types");
                         authz = new AuthorizeResult(authz.subject(),
                                 Stream.concat(authz.allowed().stream(), actionsWithUnsupportedResourceTypes.stream()).collect(Collectors.toUnmodifiableList()),
                                 authz.denied());
@@ -194,11 +204,15 @@ else if (actions.isEmpty()) {
     }
 
     static void nonAuthorizableRequest(FilterContext context) {
-        LOG.debug("NON-AUTHORIZABLE request from {}", context.authenticatedSubject());
+        LOGGER.atDebug()
+                .addKeyValue("subject", context.authenticatedSubject())
+                .log("Non-authorizable request");
     }
 
     static void nonAuthorizableResponse(FilterContext context) {
-        LOG.debug("NON-AUTHORIZABLE response from {}", context.authenticatedSubject());
+        LOGGER.atDebug()
+                .addKeyValue("subject", context.authenticatedSubject())
+                .log("Non-authorizable response");
     }
 
     <R> void pushInflightState(RequestHeaderData header, InflightState<R> inflightState) {
@@ -263,22 +277,20 @@ public CompletionStage<RequestFilterResult> onRequest(ApiKeys apiKey,
 
     private void logUnsupportedVersion(ApiKeys apiKey, RequestHeaderData header) {
         if (isApiSupported(apiKey)) {
-            LOG.warn("Filter of type {} does not support {} API version {} used in request."
-                    + " It supports version {} to {} (inclusive) of this API."
-                    + " This error is due to a misconfigured, buggy, or possibly malicious client.",
-                    getClass().getName(),
-                    apiKey,
-                    header.requestApiVersion(),
-                    minSupportedApiVersion(apiKey),
-                    maxSupportedApiVersion(apiKey));
+            LOGGER.atWarn()
+                    .addKeyValue("filterClass", getClass().getName())
+                    .addKeyValue("apiKey", apiKey)
+                    .addKeyValue("requestApiVersion", header.requestApiVersion())
+                    .addKeyValue("minSupportedVersion", minSupportedApiVersion(apiKey))
+                    .addKeyValue("maxSupportedVersion", maxSupportedApiVersion(apiKey))
+                    .log("Filter does not support API version used in request. This error is due to a misconfigured, buggy, or possibly malicious client");
         }
         else {
-            LOG.warn("Filter of type {} does not support {} API version {} used in request."
-                    + " It does not support version this API at all."
-                    + " This error is due to a misconfigured, buggy, or possibly malicious client.",
-                    getClass().getName(),
-                    apiKey,
-                    header.requestApiVersion());
+            LOGGER.atWarn()
+                    .addKeyValue("filterClass", getClass().getName())
+                    .addKeyValue("apiKey", apiKey)
+                    .addKeyValue("requestApiVersion", header.requestApiVersion())
+                    .log("Filter does not support this API at all. This error is due to a misconfigured, buggy, or possibly malicious client");
         }
     }
 
@@ -329,9 +341,12 @@ private CompletionStage<ResponseFilterResult> checkCompat(ResponseHeaderData hea
         var minMetadataVersion = apiVersion.minVersion();
         var maxMetadataVersion = apiVersion.maxVersion();
         if (maxMetadataVersion < 4) {
-            LOG.error("Filter {} requires the broker to support at least METADATA API version 4. "
-                    + "The connected broker supports only {}-{}.",
-                    AuthorizationFilter.class.getName(), minMetadataVersion, maxMetadataVersion);
+            LOGGER.atError()
+                    .addKeyValue("filterClass", AuthorizationFilter.class.getName())
+                    .addKeyValue("requiredMinVersion", (short) 4)
+                    .addKeyValue("brokerMinVersion", minMetadataVersion)
+                    .addKeyValue("brokerMaxVersion", maxMetadataVersion)
+                    .log("Filter requires broker to support at least METADATA API version 4. Connected broker does not meet requirements");
             return context.responseFilterResultBuilder().withCloseConnection().completed();
         }
         this.useMetadataVersion = (short) Math.min(ApiKeys.METADATA.latestVersion(), maxMetadataVersion);