-
Notifications
You must be signed in to change notification settings - Fork 2.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Migrate log4j2 to logback #5937
Comments
FYI Changing bin/log4j2.xml to remove the packages attribute as a workaround but it does not work: Current: Tried:
|
Adding more context about |
@QAInsights "more context" link did not scroll to https://logging.apache.org/log4j/2.x/manual/configuration.html#ConfigurationSyntax for me in Firefox (due to trailing text?) @vlsi relevant text there is:
|
Yes @jeroenhabets, but in Chromium-based browsers it works fine. :) |
While running the ./jmeter, showing this.
Can someone please help me in this Java version - 17 |
The Log4j Core `packages` configuration attribute is deprecated because: * It triggers the scanning of the mentioned packages and slows down the startup process. * It was replaced in version 2.0 by a faster mechanism that relies on a `Log4jPlugins.dat` metadata file. See [Log4j Plugins](https://logging.apache.org/log4j/2.x/manual/plugins.html) for more details. This PR removes the `packages` attribute from the standard configuration file and configures the build script of `jmeter-core` to use the `PluginProcessor` contained in `log4j-core`. Fixes apache#5937.
To register additional Log4j Core plugins a small additional step is necessary: the appender class must be compile with the annotation processor contained in The
It seems to me that the essence of the problem is the clarity of the warning message. |
The essence is that the end-users can't fix the issue at their end. In other words, JMeter application emits a warning, and the end-users have no power to fix it. |
|
The default level of status logger is Line 19 in 174ba31
Users can remove the |
…er The use of package scanning to locate plugins is deprecated ... The Log4j Core `packages` configuration attribute is deprecated because: * It triggers the scanning of the mentioned packages and slows down the startup process. * It was replaced in version 2.0 by a faster mechanism that relies on a `Log4jPlugins.dat` metadata file. See [Log4j Plugins](https://logging.apache.org/log4j/2.x/manual/plugins.html) for more details. This PR removes the `packages` attribute from the standard configuration file and configures the build script of `jmeter-core` to use the `PluginProcessor` contained in `log4j-core`. See apache#5937.
…er The use of package scanning to locate plugins is deprecated ... The Log4j Core `packages` configuration attribute is deprecated because: * It triggers the scanning of the mentioned packages and slows down the startup process. * It was replaced in version 2.0 by a faster mechanism that relies on a `Log4jPlugins.dat` metadata file. See [Log4j Plugins](https://logging.apache.org/log4j/2.x/manual/plugins.html) for more details. This PR removes the `packages` attribute from the standard configuration file and configures the build script of `jmeter-core` to use the `PluginProcessor` contained in `log4j-core`. See apache#5937.
Since cbdfd1b has entered the master branch, it seems that there is no point in opening the current issue. |
Let me try again: the warning talks to wrong people. JMeter application users can't fix their JMeter configuration so it adheres to the new best practices. Of course they can silence the warning, however, it does not fix it. The only way to truly fix the warning is to change JMeter sources, so the warning should talk to JMeter devs rather than JMeter users.
Unfortunately, log4j2 does not back-patch security fixes. In other words, if we stay on log4j 2.17.x (the version before #5859), then we would have to upgrade anyway if a new CVE is discovered. I wish they reconsider and start patching the security issues in old releases. |
I would still like to migrate off log4j2 |
I agree with you, but how do you suggest to do it? It's a chicken-and-egg problem: JMeter didn't run the annotation processor, so the annotation processor could not issue errors or warnings.
Log4j and Logback have different versioning schemes: Log4j uses semantic versioning, so users can always upgrade to the last version of the supported major versions ( Logback has a custom versioning scheme, where new features and breaking changes can occur in each version.
For JPMS reasons you should probably move the |
a. Avoid printing the warnings. For instance, if you absolutely want de-support package scanning, could do so and mention it in the migration guide. For instance, consider what OpenJDK does with "illegal reflective access"
They have "Please consider reporting this to the maintainers of com.google.inject.internal.cglib.core.$ReflectUtils$1". Of course, it is not as good as JMeter build-time warning, but having something like "please consider reporting it to the maintainers of org.apache.jmeter.gui.logging.GuiLogEventAppender" would be better than the current log4j message.
When patching a security issue, everybody wants just the security fix, and they do not want "an extra year worth of features and bugfixes". There are cases when upgrading minor versions is prohibited. For instance, Spring Boot policy is to keep using the same minor versions for the third-party dependencies: pgjdbc/pgjdbc#2599 (comment) That is one of the reasons pgjdbc/pgjdbc patches security issues in all minor versions by default (see GHSA-24rp-q3w6-vc56), and pgjdbc team can roll a security fix to literally any version on demand (see https://github.com/pgjdbc/pgjdbc/security/policy). Once again: I'm not against upgrading to a recent version from time to time. However I would like to have a version that has just a necessary changes to fix the CVE when in a hurry of patching a CVE. I do not like the way log4j2 team handles CVEs by forcing everybody upgrading to the latest minor.
That is so true |
However, |
This improves status logger warnings about: * missing `Log4j2Plugin.dat` plugin descriptors, * usage of package scanning. The warnings are reworded in a way that they are more useful to end-users. If package scanning is enabled, linkage errors (almost exclusively due to optional dependencies) are logged at a `DEBUG` level instead of `WARN`. This addresses @vlsi suggestions from apache/jmeter#5937 (comment) and fixes #2835.
This improves status logger warnings about: * missing `Log4j2Plugin.dat` plugin descriptors, * usage of package scanning. The warnings are reworded in a way that they are more useful to end-users. If package scanning is enabled, linkage errors (almost exclusively due to optional dependencies) are logged at a `DEBUG` level instead of `WARN`. The `PluginManager` tests are revamped to: - Look for a status logger warning if a deprecated plugin scanning feature is used. - Look for a status logger warning if no plugin descriptor is available. This addresses @vlsi suggestions from apache/jmeter#5937 (comment) and fixes #2835. Co-authored-by: Volkan Yazıcı <[email protected]>
Use case
Log4j 2.x introduces unclear changes, so we might better stick with a more stable logging solution.
The current log4j2 in JMeter produces an unclear warning:
Possible solution
No response
Possible workarounds
No response
JMeter Version
5.5
Java Version
No response
OS Version
No response
The text was updated successfully, but these errors were encountered: