Menu
Currently, our application uses Log4J 1.2 and configures it using either
File file = ...
PropertyConfigurator.configure(file.getAbsolutePath());
or
URL url = ...
PropertyConfigurator.configure(url);
I know that the property file format has changed from 1.2 to 2, but what would be a similar way to configure Log4J 2 using a property file at an arbitrary file or URL?
993
JMSAppender, in log4j 1.2 version, is vulnerable to deserialization of untrusted data if the attacker has the 'write' permissions to the log4j configuration.
Community support: Log4j 1. x is not actively maintained, whereas Log4j 2 has an active community where questions are answered, features are added and bugs are fixed. Automatically reload its configuration upon modification without losing log events while reconfiguring.
Allows the configuration of log4j from an external file. See doConfigure(String, LoggerRepository) for the expected format. It is sometimes useful to see how log4j is reading configuration files.
Included in Log4j 1.2 is a SocketServer class that is vulnerable to deserialization of untrusted data which can be exploited to remotely execute arbitrary code when combined with a deserialization gadget when listening to untrusted network traffic for log data.
You can use PropertiesConfigurationBuilder as follows:
// Custom-loaded properties.
Properties props = ...
// Beware it should be org.apache.logging.log4j.core.LoggerContext class,
// not the one ins spi package!
// Not sure about the meaning of "false".
LoggerContext context = (LoggerContext)LogManager.getContext(false);
Configuration config = new PropertiesConfigurationBuilder()
.setConfigurationSource(ConfigurationSource.NULL_SOURCE)
.setRootProperties(props)
.setLoggerContext(context)
.build();
context.setConfiguration(config);
Configurator.initialize(config);
It's true that using the core classes looks like a hack but the author himself uses them in his tutotrial: https://logging.apache.org/log4j/log4j-2.3/manual/customconfig.html .
72
From Log4J 2's documentation:
// import org.apache.logging.log4j.core.LoggerContext;
LoggerContext context = (org.apache.logging.log4j.core.LoggerContext) LogManager.getContext(false);
File file = new File("path/to/a/different/log4j2.xml");
// this will force a reconfiguration
context.setConfigLocation(file.toURI());
Make sure to refer to org.apache.logging.log4j.core.LoggerContext (defined in the log4j-core artifact, not the log4j-api one) and not to org.apache.logging.log4j.spi.LoggerContext.
30
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
