I do not know the app - this is only binary code. What I see it deploys its own log4j and use such properties for logging: log4j.rootCategory=ERROR, CONSOLE,MYLOG | | log4j.appender.CONSOLE=org.apache.log4j.ConsoleAppender | log4j.appender.CONSOLE.Threshold=ERROR | log4j.appender.CONSOLE.layout=org.apache.log4j.PatternLayout | log4j.appender.CONSOLE.layout.ConversionPattern=%d{dd/MM/yy HH:mm:ss} %5p [%t] (%F:%L) - %m%n | | log4j.appender.MYLOG=org.apache.log4j.DailyRollingFileAppender | log4j.appender.MYLOG.DatePattern='_'yyyyMMdd'.log' | log4j.appender.MYLOG.File=server/default/log/mylog.log | log4j.appender.MYLOG.Append=true | log4j.appender.MYLOG.layout=org.apache.log4j.PatternLayout | log4j.appender.MYLOG.layout.ConversionPattern=%d{dd/MM/yy HH:mm:ss} %5p [%t] (%F:%L) - %m%n JBoss logs must not be affected by any deployed application. If there is no any configuration changes which can protect against such hostile behaviour this is security bug in JBoss. Before I start looking how to file a bug report to JBoss I would like to make sure there is no known protection to JBoss. View the original post : http://www.jboss.org/index.html?module=bb&op=viewtopic&p=4268957#... Reply to the post : http://www.jboss.org/index.html?module=bb&op=posting&mode=reply&a...