You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@solr.apache.org by Reej Nayagam <re...@gmail.com> on 2021/12/30 10:16:57 UTC
Zookeeper log4j version upgrade
Hi All,
The Latest zookeeper release also uses log4j1.x. Anyone has upgraded log4j
version to 2 for zookeeper.
We tried upgrading the log4j version, but the logs are not getting
generated.
If any of you have tried please let me know . Thank you
*Regards,*
*Reej*
Re: Zookeeper log4j version upgrade
Posted by Reej Nayagam <re...@gmail.com>.
Thanks Shawn. Let me try to make my people understand. They want to make it
clear in the audit. Thanks for the information
Regards
Reej
On Thu, 30 Dec 2021 at 10:45 PM, Shawn Heisey <ap...@elyograg.org> wrote:
> On 12/30/2021 3:16 AM, Reej Nayagam wrote:
> > The Latest zookeeper release also uses log4j1.x. Anyone has upgraded
> log4j
> > version to 2 for zookeeper.
> > We tried upgrading the log4j version, but the logs are not getting
> > generated.
> > If any of you have tried please let me know . Thank you
>
> The 1.x versions of log4j are not vulnerable to the recently disclosed
> problems. Why would you upgrade working software that does not have a
> vulnerability? I know 1.x is end of life, but it is still widely used
> in the Java ecosystem because it works and works well.
>
> The latest zookeeper actually uses slf4j (as does Solr), but the
> installed application is likely configured with log4j as the final slf4j
> logging destination. In case you don't already know, slf4j is basically
> a shim -- it intercepts logging calls made by applications to multiple
> different logging frameworks and funnels them all to one final logging
> destination. Then that destination framework is free to do whatever the
> admin wants with the logs.
>
> Getting zookeeper to use log4j2 instead might require additional work
> beyond simply installing new jars. As zookeeper is a separate project
> from Solr, you will need to ask that project for help getting that working.
>
> Thanks,
> Shawn
>
--
*Thanks,*
*Reej*
Re: Zookeeper log4j version upgrade
Posted by Shawn Heisey <ap...@elyograg.org>.
On 12/30/2021 3:16 AM, Reej Nayagam wrote:
> The Latest zookeeper release also uses log4j1.x. Anyone has upgraded log4j
> version to 2 for zookeeper.
> We tried upgrading the log4j version, but the logs are not getting
> generated.
> If any of you have tried please let me know . Thank you
The 1.x versions of log4j are not vulnerable to the recently disclosed
problems. Why would you upgrade working software that does not have a
vulnerability? I know 1.x is end of life, but it is still widely used
in the Java ecosystem because it works and works well.
The latest zookeeper actually uses slf4j (as does Solr), but the
installed application is likely configured with log4j as the final slf4j
logging destination. In case you don't already know, slf4j is basically
a shim -- it intercepts logging calls made by applications to multiple
different logging frameworks and funnels them all to one final logging
destination. Then that destination framework is free to do whatever the
admin wants with the logs.
Getting zookeeper to use log4j2 instead might require additional work
beyond simply installing new jars. As zookeeper is a separate project
from Solr, you will need to ask that project for help getting that working.
Thanks,
Shawn