Log4j Logstash plugin error

Hi, I am getting

[2016-11-09T14:37:28,009][DEBUG][logstash.inputs.log4j    ] Closing connection {:client=>"172.17.0.1:43658", :exception=>#<IOError: org.apache.log4j.spi.LoggingEvent; class invalid for deserialization>}

while sending logs from log4j to logstash using log4j plugin.

Enviroment:

docker image sebp/elk (elk stack 5.0)
log4j 1.2.17

logstash conf:

input {
   log4j {
     mode => "server"
     host => "0.0.0.0"
     port => 4560
     type => "log4j"
   }
 }
 output {
   stdout {
   }
 }

log4j.properties:

log4j.rootLogger=debug,tcp

log4j.appender.tcp=org.apache.log4j.net.SocketAppender
log4j.appender.tcp.Port=4560
log4j.appender.tcp.RemoteHost=localhost
log4j.appender.tcp.ReconnectionDelay=10000
log4j.appender.tcp.Threshold=info

The next wierd thing is that I had to set log.level to debug to see that error message.

Appreciate any help, thanks!

Probably an incompatibility between the log4j libraries and/or JVMs. I relies on JVM-native Java object serialization and that's not a stable protocol. I suggest you use another method of collecting logs from your Java program.

magnusbaeck Could you suggest any methods?

  • Log as JSON to a file and use Filebeat to ship it. This is the most reliable method but makes a somewhat more complicated deployment.
  • Send logs as JSON via UDP.
  • Send logs as JSON via TCP.

Will try, thanks!

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.