diff --git a/Dockerfile b/Dockerfile
index ff413e5..86a094a 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -10,11 +10,11 @@ ENV JAVA_VERSION=8u162 \
     JAVA_BUNDLE_ID=0da788060d494f5095bf8624735fa2f1 \
 ##tomcat
     TOMCAT_MAJOR=8 \
-    TOMCAT_VERSION=8.5.27 \
+    TOMCAT_VERSION=8.5.29 \
 ##shib-idp
     VERSION=3.3.2 \
 ##TIER
-    TIERVERSION=18011 \
+    TIERVERSION=180401 \
 
 ##################
 ### OTHER VARS ###
@@ -34,6 +34,11 @@ ENV TOMCAT_TGZ_URL=https://www.apache.org/dist/tomcat/tomcat-$TOMCAT_MAJOR/v$TOM
     SHIB_RELDIR=http://shibboleth.net/downloads/identity-provider/$VERSION \
     SHIB_PREFIX=shibboleth-identity-provider-$VERSION
 
+
+ENV ENV=dev \
+    USERTOKEN=nothing
+
+
 #set labels
 LABEL Vendor="Internet2" \
       ImageType="Shibboleth IDP Release" \
@@ -133,14 +138,27 @@ RUN mkdir -p "$CATALINA_HOME" && set -x \
 	
 ADD container_files/idp/idp.xml /usr/local/tomcat/conf/Catalina/idp.xml
 ADD container_files/tomcat/server.xml /usr/local/tomcat/conf/server.xml
-	
+
+#use log4j for tomcat logging
+ADD http://central.maven.org/maven2/org/apache/logging/log4j/log4j-core/2.11.0/log4j-core-2.11.0.jar /usr/local/tomcat/bin/
+ADD http://central.maven.org/maven2/org/apache/logging/log4j/log4j-api/2.11.0/log4j-api-2.11.0.jar /usr/local/tomcat/bin/
+ADD http://central.maven.org/maven2/org/apache/logging/log4j/log4j-jul/2.11.0/log4j-jul-2.11.0.jar /usr/local/tomcat/bin/
+RUN cd /usr/local/tomcat/; \
+    chmod +r bin/log4j-*.jar; \
+ADD container_files/tomcat/log4j2.xml /usr/local/tomcat/conf/
+ADD container_files/tomcat/setenv.sh /usr/local/tomcat/bin/
+
+
+
 # Copy TIER helper scripts
+ADD container_files/system/startup.sh /usr/bin/
 ADD container_files/bin/setenv.sh /opt/tier/setenv.sh
 ADD container_files/bin/setupcron.sh /usr/bin/setupcron.sh
 ADD container_files/bin/sendtierbeacon.sh /usr/bin/sendtierbeacon.sh
 ADD container_files/system/supervisord.conf /etc/supervisor/conf.d/supervisord.conf
 RUN chmod +x /opt/tier/setenv.sh \
     && chmod +x /usr/bin/setupcron.sh \
+    && chmod +x /usr/bin/startup.sh \
     && chmod +x /usr/bin/sendtierbeacon.sh \
 # setup cron
     && /usr/bin/setupcron.sh
@@ -203,5 +221,4 @@ HEALTHCHECK --interval=2m --timeout=30s \
   CMD curl -k -f https://127.0.0.1/idp/status || exit 1
   
 
-# Start tomcat/crond via supervisor
-CMD ["/usr/bin/supervisord", "-c", "/etc/supervisor/conf.d/supervisord.conf"]
+CMD ["/usr/bin/startup.sh"]
diff --git a/container_files/bin/setenv.sh b/container_files/bin/setenv.sh
index a43bc0b..55c8c89 100644
--- a/container_files/bin/setenv.sh
+++ b/container_files/bin/setenv.sh
@@ -3,3 +3,4 @@ printenv | sed 's/^\(.*\)$/\1/g' | grep -E "^VERSION" > /opt/tier/env.bash
 printenv | sed 's/^\(.*\)$/\1/g' | grep -E "^TIERVERSION" >> /opt/tier/env.bash
 printenv | sed 's/^\(.*\)$/\1/g' | grep -E "^IMAGE" >> /opt/tier/env.bash
 printenv | sed 's/^\(.*\)$/\1/g' | grep -E "^MAINTAINER" >> /opt/tier/env.bash
+
diff --git a/container_files/bin/startup.sh b/container_files/bin/startup.sh
deleted file mode 100644
index 9916e74..0000000
--- a/container_files/bin/startup.sh
+++ /dev/null
@@ -1,25 +0,0 @@
-#!/bin/bash
-CRONFILE=/opt/tier/tier-cron
-
-#set env vars for cron job
-/opt/tier/setenv.sh
-
-#build crontab file with random start time between midnight and 3:59am
-echo "#send daily beacon to TIER Central" > ${CRONFILE}
-echo $(expr $RANDOM % 59) $(expr $RANDOM % 3) "* * * /usr/bin/sendtierbeacon.sh >> /var/log/cron.log 2>&1" >> ${CRONFILE}
-chmod 644 ${CRONFILE}
-
-#install crontab
-crontab ${CRONFILE}
-
-#create cron logfile
-touch /var/log/cron.log
-
-#start crond
-/usr/sbin/crond -n
-#if crond args are needed, then:
-#source /etc/sysconfig/crond && exec /usr/sbin/crond -n $CRONDARGS
-
-
-#start tomcat
-#/usr/local/tomcat/bin/catalina.sh run
diff --git a/container_files/system/startup.sh b/container_files/system/startup.sh
new file mode 100644
index 0000000..19eecc1
--- /dev/null
+++ b/container_files/system/startup.sh
@@ -0,0 +1,49 @@
+#!/bin/sh
+
+#for passed-in env vars, remove spaces and replace any ; with : in usertoken env var since we will use ; as a delimiter
+export USERTOKEN="${USERTOKEN//;/:}"
+export USERTOKEN="${USERTOKEN// /}"
+export ENV="${ENV//;/:}"
+export ENV="${ENV// /}"
+
+# generic console logging pipe for anyone
+mkfifo -m 666 /tmp/logpipe
+cat <> /tmp/logpipe 1>&2 &
+
+mkfifo -m 666 /tmp/logcrond
+(cat <> /tmp/logcrond  | awk -v ENV="$ENV" -v UT="$USERTOKEN" '{printf "crond;console;%s;%s;%s\n", ENV, UT, $0; fflush()}' 1>/tmp/logpipe) &
+
+mkfifo -m 666 /tmp/logtomcat
+(cat <> /tmp/logtomcat | awk -v ENV="$ENV" -v UT="$USERTOKEN" '{printf "tomcat;console;%s;%s;%s\n", ENV, UT, $0; fflush()}' 1>/tmp/logpipe) &
+
+mkfifo -m 666 /tmp/logsuperd
+(cat <> /tmp/logsuperd | awk -v ENV="$ENV" -v UT="$USERTOKEN" '{printf "supervisord;console;%s;%s;%s\n", ENV, UT, $0; fflush()}' 1>/tmp/logpipe) &
+
+mkfifo -m 666 /tmp/logidp-process
+(cat <> /tmp/logidp-process | awk -v ENV="$ENV" -v UT="$USERTOKEN" '{printf "shib-idp;idp-process.log;%s;%s;%s\n", ENV, UT, $0; fflush()}' 1>/tmp/logpipe) &
+
+mkfifo -m 666 /tmp/logidp-warn
+(cat <> /tmp/logidp-warn | awk -v ENV="$ENV" -v UT="$USERTOKEN" '{printf "shib-idp;idp-warn.log;%s;%s;%s\n", ENV, UT, $0; fflush()}' 1>/tmp/logpipe) &
+
+mkfifo -m 666 /tmp/logidp-audit
+(cat <> /tmp/logidp-audit | awk -v ENV="$ENV" -v UT="$USERTOKEN" '{printf "shib-idp;idp-audit.log;%s;%s;%s\n", ENV, UT, $0; fflush()}' 1>/tmp/logpipe) &
+
+mkfifo -m 666 /tmp/logidp-consent-audit
+(cat <> /tmp/logidp-consent-audit | awk -v ENV="$ENV" -v UT="$USERTOKEN" '{printf "shib-idp;idp-consent-audit.log;%s;%s;%s\n", ENV, UT, $0; fflush()}' 1>/tmp/logpipe) &
+
+
+# fix IdP's logback.xml to log to use above pipe
+IDP_LOG_CFG_FILE=/opt/shibboleth-idp/conf/logback.xml
+if test \! -f ${IDP_LOG_CFG_FILE}.dist; then
+    cp ${IDP_LOG_CFG_FILE} ${IDP_LOG_CFG_FILE}.dist
+fi
+sed "s#<File>\${idp.logfiles}/idp-process.log</File>#<File>/tmp/logidp-process</File>#" ${IDP_LOG_CFG_FILE}.dist > ${IDP_LOG_CFG_FILE}.tmp
+sed "s#<File>\${idp.logfiles}/idp-warn.log</File>#<File>/tmp/logidp-warn</File>#" ${IDP_LOG_CFG_FILE}.tmp > ${IDP_LOG_CFG_FILE}.tmp2
+sed "s#<File>\${idp.logfiles}/idp-audit.log</File>#<File>/tmp/logidp-audit</File>#" ${IDP_LOG_CFG_FILE}.tmp2 > ${IDP_LOG_CFG_FILE}.tmp3
+sed "s#<File>\${idp.logfiles}/idp-consent-audit.log</File>#<File>/tmp/logidp-consent-audit</File>#" ${IDP_LOG_CFG_FILE}.tmp3 > ${IDP_LOG_CFG_FILE}
+rm -f ${IDP_LOG_CFG_FILE}.tmp
+rm -f ${IDP_LOG_CFG_FILE}.tmp2
+rm -f ${IDP_LOG_CFG_FILE}.tmp
+
+#launch supervisord
+/usr/bin/supervisord -c /etc/supervisor/conf.d/supervisord.conf
diff --git a/container_files/system/supervisord.conf b/container_files/system/supervisord.conf
index 6af4ba5..0fcff1f 100644
--- a/container_files/system/supervisord.conf
+++ b/container_files/system/supervisord.conf
@@ -1,14 +1,17 @@
 [supervisord]
+logfile=/tmp/logsuperd
+logfile_maxbytes=0
+loglevel=error
 nodaemon=true
+user=root
 
 [program:cron]
 command=/usr/sbin/crond -n
 autostart=true
 autorestart=true
-redirect_stderr=true 
-stdout_logfile=/dev/stdout
+stdout_logfile=/tmp/logcrond
 stdout_logfile_maxbytes=0
-stderr_logfile=/dev/stderr
+stderr_logfile=/tmp/logcrond
 stderr_logfile_maxbytes=0
 directory=/usr/bin
 
@@ -16,8 +19,7 @@ directory=/usr/bin
 command=/usr/local/tomcat/bin/catalina.sh run
 autostart=true
 autorestart=true
-redirect_stderr=true 
-stdout_logfile=/dev/stdout
+stdout_logfile=/tmp/logtomcat
 stdout_logfile_maxbytes=0
-stderr_logfile=/dev/stderr
+stderr_logfile=/tmp/logtomcat
 stderr_logfile_maxbytes=0
diff --git a/container_files/tomcat/log4j2.xml b/container_files/tomcat/log4j2.xml
new file mode 100644
index 0000000..0ecbc07
--- /dev/null
+++ b/container_files/tomcat/log4j2.xml
@@ -0,0 +1,27 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Configuration status="info">
+    <Properties>
+        <Property name="layout">%d [%t] %-5p %c- %m%n</Property>
+    </Properties>
+    <Appenders>
+        <File name="CATALINA"
+                     fileName="/tmp/logpipe">
+            <PatternLayout pattern="tomcat;catalina.out;${env:ENV};${env:USERTOKEN} ${layout}"/>
+        </File>
+        <File name="LOCALHOST"
+                     fileName="/tmp/logpipe">
+            <PatternLayout pattern="tomcat;localhost.log;${env:ENV};${env:USERTOKEN} ${layout}"/>
+        </File>
+
+    </Appenders>
+    <Loggers>
+        <Root level="info">
+            <AppenderRef ref="CATALINA"/>
+        </Root>
+        <Logger name="org.apache.catalina.core.ContainerBase.[Catalina].[localhost]"
+                level="info" additivity="false">
+            <AppenderRef ref="LOCALHOST"/>
+        </Logger>
+    </Loggers>
+</Configuration>
+
diff --git a/container_files/tomcat/setenv.sh b/container_files/tomcat/setenv.sh
new file mode 100644
index 0000000..adf08bf
--- /dev/null
+++ b/container_files/tomcat/setenv.sh
@@ -0,0 +1,4 @@
+CLASSPATH=/usr/local/tomcat/bin/*
+JAVA_OPTS="-Dlog4j.configurationFile=/usr/local/tomcat/conf/log4j2.xml -DENV=$ENV -DUSERTOKEN=$USERTOKEN"
+LOGGING_MANAGER=-Djava.util.logging.manager=org.apache.logging.log4j.jul.LogManager
+