How to turn off ESAPI logs or change its log level

[raine93]

I am using ESAPI.Logger=org.owasp.esapi.logging.slf4j.Slf4JLogFactory in ESAPI.properties.

In my web application, I have log4j-api-2.17.1.jar, log4j-core-2.17.1.jar, log4j-slf4j-impl-2.17.1.jar and slf4j-api-1.7.36.jar with a log4j2.xml

The ESAPI logs I manage to see in my web application logs. But when I want to change the ESAPI log level to off it will still show ERROR log.

This is part of my log4j2.xml configuration:

 <Loggers>
        
        <Logger name="org.owasp.esapi" level="off" additivity="false"/>

        <Root level="all">
            <AppenderRef ref="myappLog"  level="INFO" />
        </Root>
        
</Loggers>

The ESAPI logs will still write to myappLog even though I set level to off. When I print out the Fully Qualified Class Name (FQCN) in the log line, the ESAPI log shows:

ERROR : org.owasp.esapi.logging.slf4j.Slf4JLogLevelHandlers$1 - [SECURITY FAILURE Anonymous:@unknown -....

If I log down the FQCN and method name (FQCN|methodname), it will show like this:
ERROR : org.owasp.esapi.logging.slf4j.Slf4JLogLevelHandlers$1|IntrusionException.log() - [SECURITY FAILURE Anonymous:@unknown -....

I did try putting this in log4j2.xml:

<Logger name="org.owasp.esapi.logging.slf4j.Slf4JLogLevelHandlers$1" level="off" additivity="false"/>

but it still does not work

[raine93]

When I set trace level to debug log4j2.xml, I see this log line "TRACE Log4jLoggerFactory.getContext() found anchor class org.owasp.esapi.logging.slf4j.Slf4JLogFactory"

[jeremiahjstacey]

https://github.com/ESAPI/esapi-java-legacy/blob/develop/src/main/java/org/owasp/esapi/logging/slf4j/Slf4JLogFactory.java

    @Override
    public Logger getLogger(String moduleName) {
        org.slf4j.Logger slf4JLogger = LoggerFactory.getLogger(moduleName);
        return new Slf4JLogger(slf4JLogger, LOG_BRIDGE, Logger.ALL);
    }

    @Override
    public Logger getLogger(@SuppressWarnings("rawtypes") Class clazz) {
        org.slf4j.Logger slf4JLogger = LoggerFactory.getLogger(clazz);
        return new Slf4JLogger(slf4JLogger, LOG_BRIDGE, Logger.ALL);
    }

The ESAPI logger is not acting as the originator/owner of the logs. It is working as a decorator to add context to the log being provided from another source. Mute the source, and the logs should follow suit

The LogFactories look up the delegate log based on the module name that is doing the logging, then prefix ESAPI information to that.

I believe if you configure the log appenders for the original classes you'll see the results you're looking for.

[raine93]

Can you give an example on how to do that? Like IntrusionException? And turning off all the esapi logs

https://github.com/ESAPI/esapi-java-legacy/blob/develop/src/main/java/org/owasp/esapi/logging/slf4j/Slf4JLogFactory.java

    @Override
    public Logger getLogger(String moduleName) {
        org.slf4j.Logger slf4JLogger = LoggerFactory.getLogger(moduleName);
        return new Slf4JLogger(slf4JLogger, LOG_BRIDGE, Logger.ALL);
    }

    @Override
    public Logger getLogger(@SuppressWarnings("rawtypes") Class clazz) {
        org.slf4j.Logger slf4JLogger = LoggerFactory.getLogger(clazz);
        return new Slf4JLogger(slf4JLogger, LOG_BRIDGE, Logger.ALL);
    }

The ESAPI logger is not acting as the originator/owner of the logs. It is working as a decorator to add context to the log being provided from another source. Mute the source, and the logs should follow suit

The LogFactories look up the delegate log based on the module name that is doing the logging, then prefix ESAPI information to that.

I believe if you configure the log appenders for the original classes you'll see the results you're looking for.

[jeremiahjstacey]

using your syntax from the original post:

 <Loggers>        
        <Logger name="org.owasp.esapi" level="off" additivity="false"/>
        <Root level="all">
            <AppenderRef ref="myappLog"  level="INFO" />
        </Root>        
</Loggers>

Change the line <Logger name="org.owasp.esapi" level="off" additivity="false"/>
to target your class/package that is actually calling the SLF4J log methods.
EG:
<Logger name="com.myorg.mypackage" level="off" additivity="false"/>

You need to know the true source of the log event.

---

As a (rough) example:
I have a class com.wizbang.logsample.SimpleLogContent.java
In this class, I'm using ESAPI with the SLF4JLogger configured, and I perform logging invocations.

Logger logger = ESAPI.getLogger(SimpleLogContent.getClass.getName());

I decide I no longer want logs from the SimpleLogContent class so I update my log4j2.xml

 <Loggers>        
        <Logger name="com.wizbang.logsample" level="off" additivity="false"/>
        <Root level="all">
            <AppenderRef ref="myappLog"  level="INFO" />
        </Root>        
</Loggers>

I should no longer get logs from any class in the package com.wizbang.logsample

[raine93]

Thanks for the example. But I still want my class logs to be written, just not the esapi logs. Like IntrusionException, I write my own logging but the logs will come out esapi error log and my own logging

using your syntax from the original post:

 <Loggers>        
        <Logger name="org.owasp.esapi" level="off" additivity="false"/>
        <Root level="all">
            <AppenderRef ref="myappLog"  level="INFO" />
        </Root>        
</Loggers>

Change the line <Logger name="org.owasp.esapi" level="off" additivity="false"/> to target your class/package that is actually calling the SLF4J log methods. EG: <Logger name="com.myorg.mypackage" level="off" additivity="false"/>

You need to know the true source of the log event.

As a (rough) example: I have a class com.wizbang.logsample.SimpleLogContent.java In this class, I'm using ESAPI with the SLF4JLogger configured, and I perform logging invocations.

Logger logger = ESAPI.getLogger(SimpleLogContent.getClass.getName());

I decide I no longer want logs from the SimpleLogContent class so I update my log4j2.xml

 <Loggers>        
        <Logger name="com.wizbang.logsample" level="off" additivity="false"/>
        <Root level="all">
            <AppenderRef ref="myappLog"  level="INFO" />
        </Root>        
</Loggers>

I should no longer get logs from any class in the package com.wizbang.logsample

[jeremiahjstacey]

You can configure the ESAPI.properties to show/hide certain aspects of the prefix behavior from ESAPI.properties

#===========================================================================
# ESAPI Logging
# Set the application name if these logs are combined with other applications
Logger.ApplicationName=ExampleApplication
# If you use an HTML log viewer that does not properly HTML escape log data, you can set LogEncodingRequired to true
Logger.LogEncodingRequired=false
# Determines whether ESAPI should log the application name. This might be clutter in some single-server/single-app environments.
Logger.LogApplicationName=true
# Determines whether ESAPI should log the server IP and port. This might be clutter in some single-server environments.
Logger.LogServerIP=true
# Determines whether ESAPI should log the user info.
Logger.UserInfo=true
# Determines whether ESAPI should log the session id and client IP.
Logger.ClientInfo=true

# Determines whether ESAPI should log the prefix of [EVENT_TYPE - APPLICATION NAME].
# If all above Logger entries are set to false, as well as LogPrefix, then the output would be the same as if no ESAPI was used
Logger.LogPrefix=true

Toggling these values will trim some of the esapi-specific prefix information from the log behavior.

[jeremiahjstacey]

I write my own logging but the logs will come out esapi error log and my own logging

You could also not duplicate the logs by using your logger or the ESAPI Logger?

If you don't want the ESAPI logs for your classes, then don't use the ESAPI Logger. If you're using ESAPI, then the ESAPI classes will still log (since that's a part of the utility of the library).

If you don't want the utility of the library then I wonder if you should perhaps not be using the library in your project.

[raine93]

Manage to solve it using custom logger. Thanks for the help

[kwwall]

Let's move this to the Discussion list (even though it's already closed), so that others can benefit from the feedback. ESAPI users are more likely to search for questions like this there rather than in the GitHub issues because this really isn't a bug or feature enhancement request.

…

On Thu, Jan 9, 2025, 11:25 PM PQ C ***@***.***> wrote: Manage to solve it using custom logger. Thanks for the help — Reply to this email directly, view it on GitHub <#867 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAO6PG6UNPDC5PSX5ETRHS32J5DSRAVCNFSM6AAAAABU3VFDJGVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDKOBRG4YTKNZQGA> . You are receiving this because you are subscribed to this thread.Message ID: ***@***.***>