Log Resolving

Lorenzo_Mainardi · October 14, 2016, 7:52am

Hello to everyone,

Im trying to insert Unbound log into ELK for analytics and attack prevention.

I would like to log if an entry is in cache or not and which resolver it’s used (if it’s not cached)

There is a way to do it?

Regards

digitel

Via della Fortezza 6 - 50129 Firenze

www.digitelitalia.com - 800 901 669

Ing. Lorenzo Mainardi

Tel +39 055 4624933

Fax +39 055 4624 947

lom@digitelitalia.com

Wouter · October 17, 2016, 9:08am

Hi Lorenzo,

Not easily. You can set verbosity very high (level 5) and parse the
logfile of unbound. You can see which queries are not answered from
cache, because it will start the iterator for that query. You can also
see which upstream servers are used to retrieve the information.

Verbosity 2 may also give the information you seek, but much more condensed.

Best regards, Wouter

Lorenzo_Mainardi · October 17, 2016, 10:52am

Verbosity 2 may also give the information you seek, but much more condensed.

Can I find some documentation about "verbosity 2" log format?

Wouter · October 17, 2016, 11:45am

Hi Lorenzo,

Verbosity 2 may also give the information you seek, but much more condensed.

Can I find some documentation about "verbosity 2" log format?

There isn't really documentation on the format. An example lookup (I
shortened the lines for easier view). And I added the ;; in between
lines to separate out the different parts of a single lookup.

notice: init module 0: validator
notice: init module 1: iterator
;;
info: resolving nlnetlabs.nl. A IN
;;
info: priming . IN NS
;;
info: response for . NS IN
info: reply from <.> 202.12.27.33#53
info: query response was ANSWER
;;
info: priming successful for . NS IN
;;
info: response for nlnetlabs.nl. A IN
info: reply from <.> 192.58.128.30#53
info: query response was REFERRAL
;;
info: response for nlnetlabs.nl. A IN
info: reply from <nl.> 2a00:1188:5::212#53
info: query response was REFERRAL
;;
info: response for nlnetlabs.nl. A IN
info: reply from <nlnetlabs.nl.> 2a04:b900::8:0:0:60#53
info: query response was ANSWER

The line with 'resolving ...' means that this was a cache miss and it
is going to lookup up this query.

The response for <name> reply from <server> query response was <type>
are sequences of lines that belong together. They tell you what is
happening to the query. You probably want to see the type ANSWER
response, the last one. And see that the server for the domain
nlnetlabs.nl and its IP address (and #port number) answered for it. If
there are errors a response with type ANSWER may never occur in the logs.

Best regards, Wouter