Could not send logs to a UDP server (AccessControlException)

I'm trying to configure Elasticsearch to output logs to an UDP server, but it fails with the AccessControlException. Here is the log:

main ERROR An exception occurred processing Appender logstash java.security.AccessControlException: access denied ("java.net.SocketPermission" "192.168.x.x:12201" "connect,resolve")
        at java.base/java.security.AccessControlContext.checkPermission(AccessControlContext.java:472)
        at java.base/java.security.AccessController.checkPermission(AccessController.java:1042)
        at java.base/java.lang.SecurityManager.checkPermission(SecurityManager.java:408)
        at java.base/java.lang.SecurityManager.checkConnect(SecurityManager.java:910)
        at java.base/java.net.DatagramSocket.send(DatagramSocket.java:674)
        at org.apache.logging.log4j.core.net.DatagramOutputStream.flush(DatagramOutputStream.java:103)
        at org.apache.logging.log4j.core.appender.OutputStreamManager.flushDestination(OutputStreamManager.java:275)
[...]

Here is the relevant part of log4j2.properties:

appender.logstash.type = Socket
appender.logstash.name = logstash
appender.logstash.host = 192.168.x.x
appender.logstash.port = 12201
appender.logstash.protocol = UDP
appender.logstash.layout.type = GelfLayout

Should I set a custom security policy?

There isn't currently a supported way to do this. How are you adding the gelf appender jar? I assume dropping it into Elasticsearch's lib directory? Adding a system level policy should work then, since ES will merge that with its own policy.

However, note that long term we have plans to restrict which jars exist for the core system, but allow for this use case by providing a way to have additional jars loaded by plugins in the root classloader.

I did not add it, I assumed it would work out of the box, and it seems that it works because I do not see any error beside the security exception.