How to filter log entries of my app?

[Kukulkano]

Hi,
my app is using Let's Encrypt certificates, but some error messages appear without being errors on my side and I want to stop my application from logging that. Thus, I want to filter log messages beginning with:

http: TLS handshake error from

This happens if requesting software does not support TLS1.2 or 1.3 or accessing my site using IP directly (not with domain name). This is all attackers, scanners and bots. Not my clients.

So far I do not use any logger middleware (except for debugging). Thus I use the default logger established after echo instance was created. It logs to regular log (stdout) and I inspect it with journalctl (I run as a systemd daemon).

How can I stop it from logging messages beginning with http: TLS handshake error from? But keep the rest?

[aldas]

I think those messages are logged by http server logger. You could try to set http.Server.ErrorLog or global logger to discard input

log.SetOutput(ioutil.Discard)

This is how you can setErrorLog

func main() {
	e := echo.New()
	s := http.Server{
		Addr: ":8082",
		Handler: e,
		ErrorLog: nil, // set here logger to no-op logger
	}
	if err := s.ListenAndServe(); err != http.ErrServerClosed {
		log.Fatal(err)
	}
}

and here is example for autoTLS with http.Server https://echo.labstack.com/cookbook/auto-tls/#server check customHTTPServer function

[Kukulkano]

Thanks aldas, but what you suggest will stop ALL logging. I still want to get all other errors and warnings from http module. I just want to filter a specific message ("http: TLS handshake error from...").

Your link to customHTTPServer from echo is having the same issue than I have. I built my solution on this example...

Can I replace the existing logger with some custom logger that allows me to filter before output?

This is how my log currently looks like:

Jul 19 11:39:55 dc1-sirius vaccinator[29467]: 2021/07/19 11:39:55 http: TLS handshake error from 193.46.255.150:36262: acme/autocert: missing server >
Jul 19 11:43:22 dc1-sirius vaccinator[29467]: 2021/07/19 11:43:22 http: TLS handshake error from 192.241.198.76:48858: acme/autocert: host "162.55.21>
Jul 19 11:50:45 dc1-sirius vaccinator[29467]: 2021/07/19 11:50:45 http: TLS handshake error from 69.4.89.106:42026: acme/autocert: missing server name
Jul 19 11:59:18 dc1-sirius vaccinator[29467]: 2021/07/19 11:59:18 http: TLS handshake error from 69.4.87.74:43402: acme/autocert: missing server name
Jul 19 12:39:31 dc1-sirius vaccinator[29467]: 2021/07/19 12:39:31 http: TLS handshake error from 192.241.211.143:50392: acme/autocert: host "162.55.2>
Jul 19 12:39:31 dc1-sirius vaccinator[29467]: 2021/07/19 12:39:31 http: TLS handshake error from 192.241.211.143:51154: acme/autocert: host "162.55.2>
Jul 19 12:39:32 dc1-sirius vaccinator[29467]: 2021/07/19 12:39:32 http: TLS handshake error from 192.241.211.143:51898: acme/autocert: host "162.55.2>
Jul 19 12:39:36 dc1-sirius vaccinator[29467]: 2021/07/19 12:39:36 http: TLS handshake error from 192.241.211.143:55766: acme/autocert: host "162.55.2>
Jul 19 12:39:36 dc1-sirius vaccinator[29467]: 2021/07/19 12:39:36 http: TLS handshake error from 192.241.211.143:38480: acme/autocert: host "162.55.2>
Jul 19 12:39:36 dc1-sirius vaccinator[29467]: 2021/07/19 12:39:36 http: TLS handshake error from 192.241.211.143:39666: tls: client offered only unsu>
Jul 19 12:39:37 dc1-sirius vaccinator[29467]: 2021/07/19 12:39:37 http: TLS handshake error from 192.241.211.143:40830: acme/autocert: host "162.55.2>
Jul 19 12:39:37 dc1-sirius vaccinator[29467]: 2021/07/19 12:39:37 http: TLS handshake error from 192.241.211.143:41876: acme/autocert: host "162.55.2>
Jul 19 12:39:37 dc1-sirius vaccinator[29467]: 2021/07/19 12:39:37 http: TLS handshake error from 192.241.211.143:42826: acme/autocert: host "162.55.2>
Jul 19 12:39:38 dc1-sirius vaccinator[29467]: 2021/07/19 12:39:38 http: TLS handshake error from 192.241.211.143:43764: acme/autocert: host "162.55.2>
Jul 19 13:43:46 dc1-sirius vaccinator[29467]: 2021/07/19 13:43:46 http: TLS handshake error from 193.118.53.194:43598: acme/autocert: missing server >
Jul 19 13:56:12 dc1-sirius vaccinator[29467]: 2021/07/19 13:56:12 http: TLS handshake error from 185.220.101.138:2054: acme/autocert: missing server >
Jul 19 14:22:26 dc1-sirius vaccinator[29467]: 2021/07/19 14:22:26 http: TLS handshake error from 162.221.192.90:34302: acme/autocert: missing server >
Jul 19 14:33:34 dc1-sirius vaccinator[29467]: 2021/07/19 14:33:34 http: TLS handshake error from 62.225.0.139:53552: acme/autocert: missing server na>
Jul 19 14:33:57 dc1-sirius vaccinator[29467]: 2021/07/19 14:33:57 http: TLS handshake error from 62.225.0.139:52149: acme/autocert: missing server na>
Jul 19 16:06:59 dc1-sirius vaccinator[29467]: 2021/07/19 16:06:59 http: TLS handshake error from 157.230.3.2:36112: acme/autocert: missing server name
Jul 19 17:34:53 dc1-sirius vaccinator[29467]: 2021/07/19 17:34:53 http: TLS handshake error from 193.118.53.202:33218: acme/autocert: missing server >
Jul 19 18:23:34 dc1-sirius vaccinator[29467]: 2021/07/19 18:23:34 http: TLS handshake error from 45.61.146.198:64458: EOF
Jul 19 20:32:25 dc1-sirius vaccinator[29467]: 2021/07/19 20:32:25 http: TLS handshake error from 71.6.232.7:44742: acme/autocert: missing server name
Jul 19 21:17:12 dc1-sirius vaccinator[29467]: 2021/07/19 21:17:12 http: TLS handshake error from 87.251.75.145:65056: tls: first record does not look>
Jul 19 21:32:54 dc1-sirius vaccinator[29467]: 2021/07/19 21:32:54 http: TLS handshake error from 152.32.172.182:47500: acme/autocert: missing server >
Jul 19 21:32:54 dc1-sirius vaccinator[29467]: 2021/07/19 21:32:54 http: TLS handshake error from 152.32.172.182:48190: acme/autocert: missing server >
Jul 19 21:32:55 dc1-sirius vaccinator[29467]: 2021/07/19 21:32:55 http: TLS handshake error from 152.32.172.182:48894: tls: first record does not loo>
Jul 19 21:32:55 dc1-sirius vaccinator[29467]: 2021/07/19 21:32:55 http: TLS handshake error from 152.32.172.182:49632: EOF
Jul 19 21:33:52 dc1-sirius vaccinator[29467]: 2021/07/19 21:33:52 http: TLS handshake error from 154.89.5.18:52556: acme/autocert: missing server name
Jul 19 21:34:35 dc1-sirius vaccinator[29467]: 2021/07/19 21:34:35 http: TLS handshake error from 154.89.5.18:52520: acme/autocert: missing server name
Jul 19 21:35:28 dc1-sirius vaccinator[29467]: 2021/07/19 21:35:28 http: TLS handshake error from 152.32.172.182:23614: acme/autocert: missing server >
Jul 19 21:57:41 dc1-sirius vaccinator[29467]: 2021/07/19 21:57:41 http: TLS handshake error from 79.98.131.43:36557: read tcp 162.55.211.217:443->79.>
Jul 19 22:06:23 dc1-sirius vaccinator[29467]: 2021/07/19 22:06:23 http: TLS handshake error from 93.119.227.34:33932: acme/autocert: missing server n>
Jul 19 23:30:48 dc1-sirius vaccinator[29467]: 2021/07/19 23:30:48 http: TLS handshake error from 93.119.227.91:33326: acme/autocert: missing server n>
Jul 19 23:50:40 dc1-sirius vaccinator[29467]: 2021/07/19 23:50:40 http: TLS handshake error from 193.118.53.194:47082: acme/autocert: missing server >
Jul 19 23:52:17 dc1-sirius vaccinator[29467]: 2021/07/19 23:52:17 http: TLS handshake error from 193.46.254.155:34124: acme/autocert: missing server >
Jul 20 00:07:15 dc1-sirius vaccinator[29467]: 2021/07/20 00:07:15 http: TLS handshake error from 107.178.236.2:20430: read tcp 162.55.211.217:443->10>
Jul 20 00:07:15 dc1-sirius vaccinator[29467]: 2021/07/20 00:07:15 http: TLS handshake error from 107.178.236.2:26976: read tcp 162.55.211.217:443->10>
Jul 20 00:07:15 dc1-sirius vaccinator[29467]: 2021/07/20 00:07:15 http: TLS handshake error from 107.178.236.2:23199: read tcp 162.55.211.217:443->10>
Jul 20 00:07:16 dc1-sirius vaccinator[29467]: 2021/07/20 00:07:16 http: TLS handshake error from 107.178.236.2:58545: read tcp 162.55.211.217:443->10>
Jul 20 00:07:16 dc1-sirius vaccinator[29467]: 2021/07/20 00:07:16 http: TLS handshake error from 107.178.236.2:40677: read tcp 162.55.211.217:443->10>
Jul 20 00:07:16 dc1-sirius vaccinator[29467]: 2021/07/20 00:07:16 http: TLS handshake error from 107.178.236.2:25377: tls: client offered only unsupp>
Jul 20 00:07:16 dc1-sirius vaccinator[29467]: 2021/07/20 00:07:16 http: TLS handshake error from 107.178.236.2:35605: read tcp 162.55.211.217:443->10>
Jul 20 00:07:17 dc1-sirius vaccinator[29467]: 2021/07/20 00:07:17 http: TLS handshake error from 107.178.236.2:23953: read tcp 162.55.211.217:443->10>
Jul 20 00:07:17 dc1-sirius vaccinator[29467]: 2021/07/20 00:07:17 http: TLS handshake error from 107.178.236.2:47208: read tcp 162.55.211.217:443->10>
Jul 20 00:07:17 dc1-sirius vaccinator[29467]: 2021/07/20 00:07:17 http: TLS handshake error from 107.178.236.2:57868: read tcp 162.55.211.217:443->10>
Jul 20 00:55:48 dc1-sirius vaccinator[29467]: 2021/07/20 00:55:48 http: TLS handshake error from 192.241.223.47:39870: acme/autocert: host "162.55.21>
Jul 20 01:13:26 dc1-sirius vaccinator[29467]: 2021/07/20 01:13:26 http: TLS handshake error from 192.241.203.224:33836: acme/autocert: host "162.55.2>
Jul 20 01:30:31 dc1-sirius vaccinator[29467]: 2021/07/20 01:30:31 http: TLS handshake error from 93.119.227.19:37692: acme/autocert: missing server n>
Jul 20 01:38:37 dc1-sirius vaccinator[29467]: 2021/07/20 01:38:37 http: TLS handshake error from 45.146.164.110:47844: acme/autocert: missing server >
Jul 20 01:38:37 dc1-sirius vaccinator[29467]: 2021/07/20 01:38:37 http: TLS handshake error from 45.146.164.110:47922: acme/autocert: missing server >
Jul 20 01:38:38 dc1-sirius vaccinator[29467]: 2021/07/20 01:38:38 http: TLS handshake error from 45.146.164.110:41970: acme/autocert: missing server >
Jul 20 01:38:38 dc1-sirius vaccinator[29467]: 2021/07/20 01:38:38 http: TLS handshake error from 45.146.164.110:45822: acme/autocert: missing server >
Jul 20 01:38:38 dc1-sirius vaccinator[29467]: 2021/07/20 01:38:38 http: TLS handshake error from 45.146.164.110:47782: acme/autocert: missing server >
Jul 20 01:38:38 dc1-sirius vaccinator[29467]: 2021/07/20 01:38:38 http: TLS handshake error from 45.146.164.110:52262: acme/autocert: missing server >
Jul 20 01:38:38 dc1-sirius vaccinator[29467]: 2021/07/20 01:38:38 http: TLS handshake error from 45.146.164.110:59090: acme/autocert: missing server >
Jul 20 01:38:38 dc1-sirius vaccinator[29467]: 2021/07/20 01:38:38 http: TLS handshake error from 45.146.164.110:33568: acme/autocert: missing server >
Jul 20 01:38:38 dc1-sirius vaccinator[29467]: 2021/07/20 01:38:38 http: TLS handshake error from 45.146.164.110:39652: acme/autocert: missing server >
Jul 20 01:38:38 dc1-sirius vaccinator[29467]: 2021/07/20 01:38:38 http: TLS handshake error from 45.146.164.110:45730: acme/autocert: missing server >
Jul 20 01:38:41 dc1-sirius vaccinator[29467]: 2021/07/20 01:38:41 http: TLS handshake error from 45.146.164.110:35838: acme/autocert: missing server >
Jul 20 03:12:56 dc1-sirius vaccinator[29467]: 2021/07/20 03:12:56 http: TLS handshake error from 185.202.1.82:9701: tls: first record does not look l>
Jul 20 03:12:56 dc1-sirius vaccinator[29467]: 2021/07/20 03:12:56 http: TLS handshake error from 185.202.1.82:10447: tls: first record does not look >
Jul 20 05:27:56 dc1-sirius vaccinator[29467]: 2021/07/20 05:27:56 http: TLS handshake error from 192.35.168.176:12718: acme/autocert: missing server >
Jul 20 06:28:58 dc1-sirius vaccinator[29467]: 2021/07/20 06:28:58 http: TLS handshake error from 23.251.102.74:59006: acme/autocert: missing server n>
Jul 20 07:02:47 dc1-sirius vaccinator[29467]: 2021/07/20 07:02:47 http: TLS handshake error from 185.180.143.7:35276: acme/autocert: missing server n>
Jul 20 07:49:59 dc1-sirius vaccinator[29467]: 2021/07/20 07:49:59 http: TLS handshake error from 159.65.153.71:55312: acme/autocert: host "162.55.211>
...

All of them are messages caused by scanners, robots and attacks who do either use the IP instead instead of the domain or do not support TLS1.2 or 1.3 or use incorrect TLS implementations. I want to get rid of these TLS Handshake error messages only. Other things should stay.

Here is the code.

[aldas]

You probably need to create wrapper implementing io.Writer interface so you can filter out stuff what is written by http.Server.ErrorLog

and assign that writer inside log.Logger to ErrorLog

	s = http.Server{
		Addr:    serverAddress,
		Handler: e, // set Echo as handler
		ErrorLog: log.New(new(YourCustomFilterWriter{}), "echo: ", 0), 
	}

[Kukulkano]

Thanks, I will try that!

[Kukulkano]

Okay, I solved it like this:

I created a file filterLogger.go with this content:

package main

import "fmt"

/*
This package contains the function that replaces the generic
logger used by go net/http. The reason is the need to filter a
few messages before writing to stdout. Otherwise, the log is
filled up with useless information about scanners and attackers
bad SSL usage behaviour.

It mainly filters all log entries beginning with
"echo: http: TLS handshake error from ..."

The rest is simply printed to stdout (ordinary log writer).
*/

// Filter all messages that start with this string
const toFilter = "echo: http: TLS handshake error from"

type filterLogger struct {
}

// Write implements the io.Writer functionality to be a replacement
// for the net/http logger.
func (w *filterLogger) Write(data []byte) (int, error) {
	out := string(data)
	if out[0:len(toFilter)] == toFilter {
		// Do not log this sort of messages
		return len(data), nil
	}
	fmt.Print(out)
	return len(data), nil
}

I then use it like this:

// this algorithms and ciphers ended in an A+ rating from SSLLabs
// test at https://www.ssllabs.com/ssltest/ (07/2021)
s = http.Server{
	Addr:     serverAddress,
	Handler:  e,                                       // set Echo as handler
	ErrorLog: log.New(new(filterLogger), "echo: ", 0), // use our own filtered log
	TLSConfig: &tls.Config{
		GetCertificate: autoTLSManager.GetCertificate,
		NextProtos:     []string{acme.ALPNProto},
		MinVersion:     tls.VersionTLS12,
		CipherSuites: []uint16{
			tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
			tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
			tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
			tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
			tls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
			tls.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
			tls.TLS_RSA_WITH_AES_128_CBC_SHA,
			tls.TLS_RSA_WITH_AES_256_CBC_SHA,
		},
	},
}
fmt.Println("⇨ https server started on " + serverAddress)
sErr = s.ListenAndServeTLS("", "")

Of course, you have to do all the surrounding stuff...