remove use of log4jv1 - no longer supported and has security vulnerabilities

[pjfanning]

BUG REPORT

Related to but separate from #3816

https://github.com/apache/rocketmq/blob/develop/pom.xml#L582

log4j v1 is not supported (EOL) and numerous CVEs are open against it

• ideally use log4jv2 instead
• reload4j is a drop-in replacement for log4jv1 - but ideally, rocketmq should standardise on one log framework and log4jv2 is used in rocketmq too

[pjfanning]

log4jv1 is still in use in some subprojects

[ERROR]   The project org.apache.rocketmq:rocketmq-logappender:4.9.3-SNAPSHOT (/home/travis/build/apache/rocketmq/logappender/pom.xml) has 1 error
[ERROR]     'dependencies.dependency.version' for log4j:log4j:jar is missing. @ org.apache.rocketmq:rocketmq-logappender:[unknown-version], /home/travis/build/apache/rocketmq/logappender/pom.xml, line 35, column 21
[ERROR]   
[ERROR]   The project org.apache.rocketmq:rocketmq-test:4.9.3-SNAPSHOT (/home/travis/build/apache/rocketmq/test/pom.xml) has 1 error
[ERROR]     'dependencies.dependency.version' for log4j:log4j:jar is missing. @ org.apache.rocketmq:rocketmq-test:[unknown-version], /home/travis/build/apache/rocketmq/test/pom.xml, line 31, column 21

[pjfanning]

rocketmq-logappender supports a few log frameworks - would it be possible just to remove RocketmqLog4jAppender (the log4jv1 support)?

[caigy]

@pjfanning Support for Log4j v1 is still necessary for users who send log message to RocketMQ through Log4j V1 interface. And a discuss has launched for moving rocketmq-logappender to rocketmq-externals repo, please find it in dev mail list.

[github-actions]

This issue is stale because it has been open for 365 days with no activity. It will be closed in 3 days if no further activity occurs.