-
Notifications
You must be signed in to change notification settings - Fork 18
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
IOError: org.apache.log4j.spi.LoggingEvent; class invalid for deserialization #35
Comments
It sounds like logstash is connecting just fine (the subject of this issue says "can't connect to logstash"). As for your error output, I don't know what to make of it. It is looking for a class What version of log4j are you using to send? Also, I am unfamiliar with log4j's serialization, so I'm only guessing here. |
I am using log4j-1.2.17, when i downgrade the logstash to 2.4.0, everything is ok |
I too is facing the same problem. I tried with the same parameters as @clevertension, log4j 1.2.17 and logstash 5.0.0. There is no error shown in the stdout and subsequent logs to the port gets exceptions. Downgrading to logstash 2.4 works. |
some problem +1 |
@jordansissel OK, tks! Now how to provisional fixed it, or must to downgrading to 2.4 ? |
As a workaround, I am seeing several reports in this ticket that downgrading to Logstash 2.4 works. If you need a solution now, please downgrade to Logstash 2.4. |
I think I have found the problem. There is a bug in log4j 2 where the "log4j 1.2" API provided by log4j2 has the LoggingEvent class that is not serializable, so Logstash rejects it. I have details in this ticket: #36 (comment) Fixing this may require a new release of Logstash because I had to patch logstash itself to make this work. |
A workaround for Logstash 5.0.0 and 5.0.1: There's a file
If you comment it out, log4j input works successfully for me with Logstash 5.0.1. Here's the patch: --- old/logstash-core/lib/jars.rb 2016-11-28 16:07:07.208906014 -0800
+++ new/logstash-core/lib/jars.rb 2016-11-28 16:07:09.266844854 -0800
@@ -1,5 +1,5 @@
require 'jar_dependencies'
-require_jar('org.apache.logging.log4j', 'log4j-1.2-api', '2.6.2')
+#require_jar('org.apache.logging.log4j', 'log4j-1.2-api', '2.6.2')
require_jar('org.apache.logging.log4j', 'log4j-api', '2.6.2')
require_jar('org.apache.logging.log4j', 'log4j-core', '2.6.2')
require_jar('com.fasterxml.jackson.core', 'jackson-core', '2.7.4') You can apply it with This patch is probably not supported and we should have this bug fixed for Logstash 5.1.0 |
One more thing about this issue: I got no log message on the logstash side for this problem until I raised the level to DEBUG. |
This is a lose-lose scenario. Here's the two options I've been faced with in the past:
Both scenarios cannot be solved simultaneously because one solution cause problems for the other. If we make it log more by default, someone will ask me this "Why is logstash so noisy when a bad connection hits log4j input?" and we'll go back in circles. The reason the log message is hidden by default is because there are a variety of reasons a connection could be faulty -- a network or security scan, a corrupt client, a bad network, incompatible client, unexpected data, etc. I'm not sure how to solve "log just this specific problem where logstash has a bug in the log4j input" but also keep the corrupt client, network scan, etc from being logged by default. |
Well, I am not annoyed but simply puzzled.
In a production environment (where I never, ever would want to set the log level to DEBUG), I would be interested in all of those reasons, why my application logs are lost. So my only chance right now, is to make logstash really noisy. |
In Logstash 5 it is possible to set the log level of individual components,
so you should be able to put the log4j input specifically at debug level.
…On Tue, Nov 29, 2016 at 2:01 AM Norbert Pomaroli ***@***.***> wrote:
Logstash logs too little and annoys users. Annoyed users file tickets.
Well, I am not annoyed but simply puzzled.
The reason the log message is hidden by default is because there are a
variety of reasons a connection could be faulty -- a network or security
scan, a corrupt client, a bad network, incompatible client, unexpected
data, etc.
In a production environment (where I never, ever would want to set the log
level to DEBUG), I would be interested in *all* of those reasons, why my
application logs are lost.
So my only chance right now, is to make logstash *really* noisy.
—
You are receiving this because you modified the open/close state.
Reply to this email directly, view it on GitHub
<#35 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AAIC6mUtL_bHTcPOE1qKkTeZzoCs1NFxks5rC_gDgaJpZM4Kq8fF>
.
|
The same issue in 5.1.1 :/ |
Confirm fix (comment out one line, logstash-core_jars.rb) Will Logstash 5.2.0 have fix ? |
This issue is impacting us as well. We would like to know what release this is going to be fixed on too. |
Have same trouble with 5.1.2. But when comment require_jar line in logstash-core_jars.rb catch next exception:
|
Looks like this will be fixed by elastic/logstash#6309 which should come with 5.2.0. |
@jakommo It is, and checking the commit gives a more deterministic way of verifying the change was incorporated into the released branch. |
input {
log4j {
mode => "server"
host => "192.168.1.6"
port => 4567
type => "log4j"
}
}
filter {
}
output {
elasticsearch {
action => "index" #The operation on ES
hosts => "localhost:9200" #ElasticSearch host, can be array.
index => "logstash-1" #The index to write data to.
user => logstash_internal
password => changeme
}
}
when i use log4j in java to print something, the logstash error log is
The text was updated successfully, but these errors were encountered: