[jira] [Commented] (LOG4J2-2988) SocketAppender is not able to reload key and certs

Thu, 07 Jan 2021 05:21:07 -0800 


    [ 
https://issues.apache.org/jira/browse/LOG4J2-2988?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17260491#comment-17260491
 ] 

Gary D. Gregory commented on LOG4J2-2988:
-----------------------------------------

Log4j already supports the notion of a "watch interval" for its configuration 
file. Each appender could decide to support this for additional files. We would 
not need to add a new setting which is a bonus. 

If the reconnector creates a new connection, I would expect it to use a fresh 
read from disk for these additional configuration files.

> SocketAppender is not able to reload key and certs
> --------------------------------------------------
>
>                 Key: LOG4J2-2988
>                 URL: https://issues.apache.org/jira/browse/LOG4J2-2988
>             Project: Log4j 2
>          Issue Type: Bug
>          Components: Appenders
>    Affects Versions: 2.13.3
>         Environment: java version, 11.0.9+11
> Log4j2 2.13.3
>            Reporter: Yi
>            Priority: Major
>
> Hi,
> We try to use log4j2 with SocketAppender and SSL configuration to stream our 
> logs to a dedicated server side. We use mTLS to establish a TLS connection 
> between the Log4j2 and the log server. In other words, there are client key 
> pair and certificate. In our environment, our client certificate is short 
> lived and the client key and certificate are automatically renewed 
> periodically.´And the client credentials are provided within a jks file.
> However, we discovered a problem is that Log4j2 is not able to reload the key 
> and certificate once they are renewed, either with an updating on the current 
> jks file, or switching to another jks file.
> We have tried to set monitor-interval in Configuration part, periodically 
> modify the log4j2 configuration file(e.g., update keystore file path, update 
> appender name etc.), and even invoke reconfiguration in our code but 
> unfortunately the key and certificate are not reloaded correctly.
> We understand Log4j2 SslSocketManager and its parent TcpSocketManager 
> basically keeps a long-lived connection with the server and does not start a 
> new connection if the current one works fine. We observe the problem that 
> once the server tears down the connection, Log4j2 is not able to restablish a 
> connection due to the out-dated client certificate.
>  



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to