I have an internal library that was upgrade to use logstash which has a mandatory dependency to logback, hence logback-classic (which has its own slf4j appender internally of its packages, which means I can't exclude any library here).
When I try to use this dependency as a jar over any other legacy module (all of them are using slf4j-log4j12) I do get the log dependency hell message:
SLF4J: Class path contains multiple SLF4J bindings.
SLF4J: Found binding in [jar:file:/home/asdf/.m2/repository/ch/qos/logback/logback-classic/1.2.3/logback-classic-1.2.3.jar!/org/slf4j/impl/StaticLoggerBinder.class]
SLF4J: Found binding in [jar:file:/home/asdf/.m2/repository/org/slf4j/slf4j-log4j12/1.7.26/slf4j-log4j12-1.7.26.jar!/org/slf4j/impl/StaticLoggerBinder.class]
but the problem itself is that I can't just exclude logback-classic, since it is mandatory for logstash, and I can't migrate my applications to use logback, since they are configured with the log4j.xml
Is there a way to force slf4j to use the application appender instead of the one that comes from the logback library, OR, any other idea to make just a given package to use an appender, and the rest, use other?
Related
If log4j doesn't support this then is there some drop-in replacement for log4j that does? I've gone through the docs and lots of google searches, unfortunately all search results come up with "exploit" or "vulnerability" articles.
Splunk provides a splunk-library-javalogging that has appenders for both Log4j2 Core (the reference Log4j2 API implementation) and Logback (the reference SLF4J API implementation).
The appenders use OkHttp 3.x under the hood, so they will behave as all OkHttp-based components. Since splunk-library-javalogging does not set either a proxy nor a proxySelector explicitly (cf. source code), OkHttp falls back to the system wide ProxySelector.
Without any code modification on your part you can use the JVM-wide proxy settings as in this question.
Remark: if by log4j you are referring to Log4j 1.x, you need to replace the log4j:log4j artifact with either log4j-over-slf4j (which forwards to the SLF4J API) or log4j-1.2-api (which forwards to the Log4j2 API).
SLF4J: The class path contains multiple SLF4J bindings.
SLF4J: Found binding in [jar:file:/C:/apache-jmeter-5.4.1/apache-jmeter-5.4.1/lib/log4j-slf4j-impl-2.13.3.jar!/org/slf4j/impl/StaticLoggerBinder.class]
SLF4J: Found binding in [jar:file:/C:/apache-jmeter-5.4.1/apache-jmeter-5.4.1/lib/tika-app-2.1.0.jar!/org/slf4j/impl/StaticLoggerBinder.class]
SLF4J: See http://www.slf4j.org/codes.html#multiple_bindings for an explanation.
SLF4J: Actual binding is of type [org.apache.logging.slf4j.Log4jLoggerFactory]
How to resolve it,
and does it impact anything?
This warning can be safely ignored.
If you're interested in the reason: this guy: tika-app-2.1.0.jar is not a part of JMeter 5.4.1 and both JMeter and Tika are using SLF4J framework with their own configurations. The framework detects both bindings and warns you about their presence in the classpath
If you don't use tika-app-2.1.0.jar anywhere in your Test Plans - remove the .jar from JMeter's "lib" folder and the warning will go away, moreover this .jar is kind of big and removing it will make JMeter to start faster.
Also according to 9 Easy Solutions for a JMeter Load Test “Out of Memory” Failure article you should always be using the latest version of JMeter so consider downloading JMeter 5.4.3 (or whatever is the latest stable version which is available at JMeter Downloads page) on next available opportunity.
We need to migrate to log4j 2.17 if we are using log4j jar, mvn dependency: tree showing only log4j-over-slf4j:jar. so I assume app is safe as it will redirect call to sl4j not to log4j.
Please confirm my app is safe with this jar without any remediation.?
In the SLF4J website, in the Comments on the log4shell(CVE-2021-44228) vulnerability they state that:
If you are using log4j-over-slf4j.jar in conjunction with the SLF4J API, you are safe unless the underlying implementation is log4j 2.x.
So it basically depends on how you're implementing the logs' generation. Slf4j natively uses logback. But to be sure, you can check your pom.xml and see if log4j is mentioned there.
How do I attach logback to smartfox server?
smartfox uses log4j by default. How can I shift logging of my extensions/all of smartfox to logback?
I've tried this but this is failing with this error cause it has already boud to log4j I guess.
SmartFoxServer 2x uses Simple Logging Facade for Java (SLF4J) for logging. The very purpose of SLF4J is to provide a facade over the logging framework so the user can replace one logging framework with another. In your case log4J with Logback. I'll first explain how SLF4J works and how you can change one logging framework with another and briefly discuss some caveats. Then I'll cover some SmartFoxServer specifics.
Simple Logging Facade for Java Architecture
SLF4J provides API which serves as facade (abstraction layer) over the actual logging framework. This allows the user to easily switch between frameworks on deployment time without the need to change the code. But it also means that SLF4J on its own is not enough - the default implementation is no-op. In order to actually log anything you need actual logging framework (such as log4j or logback) and so called "binder" which servers as a bridge or adapter between SLF4J and the logging framework.
Swapping Logging Frameworks
The SLF4J User Manual provides detailed explanation on how you can swap one framework with another during deployment time. In short you just need to delete the old binder and logging framework and add the new binder and the new logging framework. To swap log4 with logback you need to delete slf4j-log4j12 and log4j jars and add logback-classic and logback-core.
Caveats
You should make sure that there is only one binder implementation in the classpath. Having more than one causes waring, not error. SLF4J would just pick one of the implementations. But I would not rule out the possibility for this to cause issues with more complex application (such as SmartFoxServer) that uses multiple class loaders. But more importantly you should make sure the SLF4J API, the binder and the logging framework versions are compatible. For example if you use old version of SLF4J with newer version of logback that may cause ClassNotFoundException. I suspect that this could be reason why you get the error you see.
Swapping lof4j with Logback as logging framework for SmartFoxServer 2x
SmartFoxServer 2x version 2.17.3 uses SLF4J API version 1.7.5. To swap log4j you need to first delete lib/slf4j-log4j12-1.7.5.jar and then add compatible version of logback-classic and logback-core jars. For example logback-classic 1.1.0 and logback-core 1.1.0.
You can delete lib/log4j-1.2.15.jar but I would rather keep it. The binder(lib/slf4j-log4j12-1.7.5.jar) is not meant to be used directly so it should be safe to be deleted. On other hand there are libraries that use log4j directly. I don't know if SmartFoxServer 2x uses any such library but it is safer to keep it just in case. Swapping the binder is enough for SLF4J to use Logback and ignore log4j.
Logger Output
SmartFoxServer 2x parses the logger output to provide some functionality such as the Admin Log Viewer. If you change the log output this may cause this functionality to stop working and maybe even cause other issues (on theory it should not, but you never know). There is configuration file (config/logParser.properties) that would allow you to configure the log parser, but I didn't found any documentation about it. You may try to ask on the SmartFoxServer forum. The developers are actually pretty active there so they may help.
Swapping loggers only for your extension
The instruction I gave swaps the logger for all extensions and SmartFoxServer. If you want you may try to swap them only for your extensions. But I'm not quite sure if and how that would work. Each class extension uses its own class loader but this provides isolation between extensions and SmartFoxServer and extensions, but not between extension and SmartFoxServer. What does this mean is that if you add lib.jar to Extension A classpath it would not be visible to Extension B or to SmartFoxServer code. But if you add lib.jar to the SmartFoxServer classpath it would be visible to both Extension A and Extension B. As SmartFoxServer already contains SLF4J API on its classpath you should not add it to your extension classpath. You can try to add logback-classic and logback-core to you extension classpath. But in this case you'll have two binder implementations in you extension classpath (logback and log4j from the SmartFoxServer classpath). As already discussed, I'm not quite sure how and if this would work.
Conclusion
SLF4J provides an easy way to swap logging frameworks, but there some caveats. And SmartFoxServer adds some caveats on its own. Unless SmartFoxServer team supports swapping of the underlaying logging framework (which judging by some anwers in their forum, they don't), I would be quite careful and do such swap only if there are some benefits and it is not just a matter of personal preference.
When I add org.jxls dependency to pom,it seems to affect log4j outputs.I set log4j log level "ERROR",but it outputs DEBUG infomation to console.But when I remove org.jxls,log4j works right.
Although Jxls-2 uses SLF4J as a logging facade it has a dependency to Logback because it uses some if its XML processing utilities.
If you do not use Logback but another logging framework (e.g. log4j) and configured SLF4J binding you can still end up with "Class path contains multiple SLF4J bindings" warning.
Currently there is a bug in Jxls-2 to remove the Logback dependency.
Until it is fixed you may need to have a logback.xml in your classpath.
Update
The issue is now resolved in JXLS v2.2.9 .
So now it should be possible to plugin any logging framework following the instructions in SLF4J manual