[Droobfest]

so is it:

-Dlog4j.formatMsgNoLookups=true

or

-Dlog4j2.formatMsgNoLookups=true

? Every project seems to list one or the other, even this cheat-sheet seems to list both in a random way...

[LeifCarrotson]

Log4J version 1.x met end-of-life in 2015 [1]. Of course, that's only 6 years ago, so there are still projects out there running it. It would look for -Dlog4j.format... and would not know about -Dlog4j2.format... or, hypothetically, -Dlog4j3LTS.format...

Environment variables targeting Log4J version 2.x should get the prefix "log4j2.*" [2] so the latter is correct.

In the end it doesn't really matter if you declare an environment variable that's never read, so you could define both if you're not sure which version of Log4J is used in your stack.

[1] https://logging.apache.org/log4j/1.2/

[2] https://logging.apache.org/log4j/2.x/

[darkarmani]

Old versions of ElasticSearch that people still use and Livy uses 1.x.

[Droobfest]

Replying to myself but I guess it's the second one.

https://github.com/apache/logging-log4j2/blob/04637dd9102175...

[JackGreyhat]

Confirmed. Its the "log4j2.formatMsgNoLookups" property. Source: https://logging.apache.org/log4j/2.x/security.html