Scott, Any update on this? We are being pinged again.
Ralph > On Nov 7, 2020, at 3:48 PM, Scott Deboy <scott.de...@gmail.com> wrote: > > If I recall correctly, log4cxx supports the log4j xml format over tcp. > > Scott > > On Sat, Nov 7, 2020, 11:49 AM Matt Sicker <boa...@gmail.com> wrote: > >> It would limit the supported classes to a safe allowlist. Ideally, we >> should be using both standardized logging formats (including de facto >> standards like GELF) as well as developing a proper binary logging >> format proposed a few years ago. >> >> On Sat, 7 Nov 2020 at 13:45, Robert Middleton <osfan6...@gmail.com> wrote: >>> >>> Would this be a total removal of the Java deserialization? I ask >>> because I think I've used that before with log4cxx to send log >>> messages to chainsaw. >>> >>> Alternatively, I guess the better question is "should chainsaw support >>> structured log messages input?" I know that there was something about >>> log4j2 supporting GELF a while ago - perhaps that could be a good >>> standard for sending log messages? >>> >>> -Robert Middleton >>> >>> On Sat, Nov 7, 2020 at 12:27 PM Matt Sicker <boa...@gmail.com> wrote: >>>> >>>> Any use of deserialization over the network (or from untrusted input >>>> sources in general) should use an allowlist of deserializable classes. >>>> That's what we did in log4j2's serialized log event receiver code a >>>> few years ago, for example: >>>> https://github.com/apache/logging-log4j2/commit/5dcc192 >>>> (CVE-2017-5646). >>>> >>>> On Sat, 7 Nov 2020 at 11:12, Scott Deboy <scott.de...@gmail.com> >> wrote: >>>>> >>>>> I assume reverse-connect is still fine (SocketHubAppender/Receiver), >>>>> as Chainsaw is being configured to reach a specific (assumed trusted) >>>>> endpoint, yes? >>>>> >>>>> >>>>> >>>>> On 11/6/20, Scott Deboy <scott.de...@gmail.com> wrote: >>>>>> Holy cow. February? >>>>>> >>>>>> I have zero problem with us nuking the object serialization >> receiver >>>>>> support. I think the vfs receiver is the way to go, still works >> great. >>>>>> >>>>>> I can remove the code in Chainsaw master. >>>>>> >>>>>> Hope all are well, good to hear from you! >>>>>> >>>>>> Scott >>>>>> >>>>>> On Fri, Nov 6, 2020, 7:53 PM Ralph Goers < >> ralph.go...@dslextreme.com> >>>>>> wrote: >>>>>> >>>>>>> Great to hear from you again! I don’t know if you saw it but >> there is a >>>>>>> Chainsaw related email on Feb 12 of this year in the private list >> that >>>>>>> you >>>>>>> should take a look at if you are planning on doing some work on >> Chainsaw. >>>>>>> >>>>>>> Ralph >>>>>>> >>>>>>>> On Nov 6, 2020, at 5:57 PM, Scott Deboy <scott.de...@gmail.com> >> wrote: >>>>>>>> >>>>>>>> Hey all, >>>>>>>> >>>>>>>> Long time. >>>>>>>> >>>>>>>> I decided to work through the pom ugliness and a couple of swing >>>>>>>> degradation issues in Chainsaw. >>>>>>>> >>>>>>>> I found an ASL2 Mac dmg creation maven plugin, and it works >> well on my >>>>>>>> Mac, if anyone cares to try it out please do. >>>>>>>> >>>>>>>> Pushing changes to master shortly. >>>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>> >>
