Logging blocked-by-istio communication (with service registry)

I have istio 1.1.3 with mtls and service-registry on a kubespray k8 cluster. I want to secure all outgoing traffic, hence I create service-entries for each external service that my services want to talk to.

I would like to use istio-proxy logs to see the blocked communication attempts for all sort of traffic.

If i curl from within container to a (blocked) http://google.com i see 404 NR in istio-proxy logs. Also curl receives 404. As expected

If i change call to use https, and curl (still blocked) https://google.com, i see the following curl error (35) Unknown SSL protocol error in connection to google.com:443 and nothing shows up in istio-proxy logs (why nothing?)

How can i see all connection attempts in istio-proxy? I have a pretty convoluted bunch of services that do covert-ops outgoing calls and i need to figure out what hostnames/ips/ports they are trying to hit.

Mixer logs are only showing me the communication to the defined service-entries. How do i see the ones that istio is denying?

Based on your problem statement, have you considered using an egress gateway instead of multiple service entries? I think that approach might be better for what you describe.
To learn more, you can take a look at the blog post from @vadimeisenbergibm on secure control of egress traffic: https://preliminary.istio.io/blog/2019/egress-traffic-control-in-istio-part-1/
Part 2 is still WIP but it includes links to the related tasks you need to complete. You can take a look either at PR 4232 or the rendered content.
@mstrz I hope you find the information useful.

Thank you @rcaballeromx ! I have looked at the egress already, i was going to do a 1-2-3 (increasing complexity) approach via:

  1. just get service entries to work. (works, but i dont see blocked non-http requests which is painful)
  2. allow my java apps to use configured keystores/truststores to do connections, and let istio treat them as TLS passthrough on the way out thru egress (will i see the blocked tls calls then?)
  3. purge all keystores from the java apps and apply the mtls on egress via tls origination

I would be happy, for the time being, with “1” (if it provided logging. But it doesnt).
Will “2” or “3” give me the blocked tls calls logged?