• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Tim Cooke
  • Liutauras Vilda
  • Jeanne Boyarsky
  • paul wheaton
Sheriffs:
  • Ron McLeod
  • Devaka Cooray
  • Henry Wong
Saloon Keepers:
  • Tim Holloway
  • Stephan van Hulst
  • Carey Brown
  • Tim Moores
  • Mikalai Zaikin
Bartenders:
  • Frits Walraven

Cannot get log4j2 to work correctly..

 
Bartender
Posts: 1973
17
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Something is off. Trying to get log4j 2 to work gives me class not found errors.

Why?

I have added the new log4j2 dependencies in my pom.xml:



In my project, I have the compiled logic:



In the IDE there the two expected import statements (both compile):


In the Tomcat lib folder, but the JAR files above are present.

Yet, when I deploy this application (it used to work with log4j 1.x), I now get:



Do I still need some other import to get log4j2 to work?

Thanks in advance,

-- mmike
 
Saloon Keeper
Posts: 28319
210
Android Eclipse IDE Tomcat Server Redhat Java Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Yike! Did you trigger the mobile device view somehow? I'm getting everything scrunched up in the middle of the window.

FIRST: Log4j 2.1.6 is CURSED. If you want to avoid the vulnerabilty issues, go to 2.2 or higher.

Secondly, you're missing SLF4J, not Log4J. SLF4j is a logging integrator that allows components using different logging systems to unify the logs under one system.

Here's what I'm using on my recipe webapp currently under development (and coming along very nicely!)

This allows both JULI and Log4J to log via Log4J control.
 
Mike London
Bartender
Posts: 1973
17
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Thanks Tim! That was it (missing slf4j).

Appreciate your help as always!  

- mike
 
Ranch Hand
Posts: 159
  • Likes 2
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Tim Holloway wrote:
FIRST: Log4j 2.1.6 is CURSED. If you want to avoid the vulnerabilty issues, go to 2.2 or higher.


Are you sure? Aren't you mixing up versions?
AFAIK Log4j 2.2 version is vulnerable to the 0-day exploit and you should be using 2.16.0.

Source: https://logging.apache.org/log4j/2.x/security.html
 
Tim Holloway
Saloon Keeper
Posts: 28319
210
Android Eclipse IDE Tomcat Server Redhat Java Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I may have been dyslexic, but originally I read the issue as being with Log4J 2.1 releases.

Regardless, you are correct that all Log4j2 version 2 and higher up to and including 2.15 are vulnerable, although 2.15 has reduced weakness and is covered under a different CVE.

2.16.0 removes the fatal feature altogether, although it does so thoroughly that it may break some applications, so testing is advised.
 
Look ma! I'm selling my stuff!
Gift giving made easy with the permaculture playing cards
https://coderanch.com/t/777758/Gift-giving-easy-permaculture-playing
reply
    Bookmark Topic Watch Topic
  • New Topic