NCEAS · artntek · May 28, 2026 · Jan 27, 2026 · Jan 30, 2026 · Jan 30, 2026
diff --git a/docker/Dockerfile b/docker/Dockerfile
@@ -69,9 +69,6 @@ RUN apt-get update && apt-get install -y --no-install-recommends \
     &&  echo "org.apache.catalina.connector.CoyoteAdapter.ALLOW_BACKSLASH=true" \
                                       >> ${TC_HOME}/conf/catalina.properties
 
-## Redirect file-based logging to stdout for access logs
-COPY --chown=tomcat:tomcat tomcat.k8s.server.xml ${TC_HOME}/conf/server.xml
-
 ## Redirect file-based logging for all other logs
 COPY --chown=tomcat:tomcat tomcat.k8s.logging.properties ${TC_HOME}/conf/logging.properties
 

diff --git a/helm/config/log4j2.k8s.properties b/helm/config/log4j2.k8s.properties
@@ -12,7 +12,7 @@ loggers = dataone, replication, poolingHttpClientConnectionManager, apacheWire
 appender.consoleAppender.type=Console
 appender.consoleAppender.name=consoleAppender
 appender.consoleAppender.layout.type=PatternLayout
-appender.consoleAppender.layout.pattern=metacat %d{yyyyMMdd-HH:mm:ss}: [%p]: %m [%C:%M:%L]%n
+appender.consoleAppender.layout.pattern={"log_type":"app", "time":"%d{yyyy-MM-dd'T'HH:mm:ss.SSSZ}", "level":"%p", "message":"%enc{%m}{JSON}", "class":"%C", "method":"%M", "line":"%L"}%n
 
 ##################################
 # the root logger configuration  #

diff --git a/docker/tomcat.k8s.server.xml → helm/config/tomcat.k8s.server.xml b/docker/tomcat.k8s.server.xml → helm/config/tomcat.k8s.server.xml
@@ -107,10 +107,26 @@
             unpackWARs="true" autoDeploy="true">
 
         <!-- Access log processes all and writes to stdout instead of a file.
-             Documentation at: /docs/config/valve.html -->
+             Documentation at:
+             https://tomcat.apache.org/tomcat-9.0-doc/config/valve.html#Access_Log_Valve
+             also see: https://stackoverflow.com/a/55275335 on use of %{x-forwarded-for}i for
+             real client IP
+        -->
         <Valve className="org.apache.catalina.valves.AccessLogValve"
-               pattern="%h %l %u %t &quot;%r&quot; %s %b" rotatable="false"
-               directory="/dev" fileDateFormat="" prefix="stdout" suffix="" />
+            directory="/dev"
+            fileDateFormat=""
+            prefix="stdout"
+            rotatable="false"
+            suffix=""
+            requestAttributesEnabled="true"
+            pattern='{"log_type":"access","time":"%t","remote_ip":"%a","method":%m,"request":%U,"status":%s,"bytes":%b,"duration_ms":%D,"ua":"%{User-Agent}i"}'
+        />
+        <!-- Remote IP Valve to process X-Forwarded-For and X-Forwarded-Proto headers
+             see: https://tomcat.apache.org/tomcat-9.0-doc/config/valve.html#Remote_Ip_Valve
+             and: https://stackoverflow.com/a/55275335 -->
+        <Valve className="org.apache.catalina.valves.RemoteIpValve"
+             remoteIpHeader="x-forwarded-for"
+             protocolHeader="x-forwarded-proto" />
       </Host>
     </Engine>
   </Service>

diff --git a/helm/templates/statefulset.yaml b/helm/templates/statefulset.yaml
@@ -107,6 +107,10 @@ spec:
               subPath: {{ .Values.persistence.subPath }}
               {{- end }}
               readOnly: false
+            - name: {{ .Release.Name }}-config-volume
+              mountPath: /usr/local/tomcat/conf/server.xml
+              subPath: tomcat.k8s.server.xml
+              readOnly: true
             - name: {{ .Release.Name }}-config-volume
               mountPath: /usr/local/etc/metacat-configMap
               readOnly: true