Earlier this week, a security flaw was identified in Apache Log4j version 2, which could allow remote code execution by exploiting object deserialization within the JVM process. Although the Log4j plugin is included in a default Logstash installation, it is not enabled by default, and thus users not explicitly using it are unaffected. While current exploits do not affect default Logstash deployments, the Elastic Security Team acknowledges the inherent vulnerability due to Logstash's role as an endpoint for log data from various sources, which makes it impractical to secure completely. Consequently, Elastic has patched Log4j in Logstash and has deprecated the Log4j input, advising users to replace the Log4j's SocketAppender with Filebeat for safer log transport. This move aims to eliminate the security risks associated with object deserialization, and Log4j support will be removed in Logstash 6.0. Elastic extends thanks to Marcio Almeida de Macedo for bringing this issue to their attention.