Question on Unbound logging Best Practices

j_dubbz · June 14, 2016, 10:22pm

hi team. We have an Unbound caching server that was setup by another
internal team. However, there is no logging enabled. I not only want this
enabled for troubleshooting internal name resolution issues, but also to
feed into a SIEM, and do other traffic analysis.

My questions (and I know every environment is different)

- Is there a "sizing guide" so one can ascertain how much disk space should
be allocated to the DNS caching host?

- I suppose this might be determined by the log verbosity, so with
verbosity: 1 or verbosity: 3, etc.. how does this come into play?

- Is there anything else to consider other than just adding the #logfile
directive to the .conf file?

- to get the unbound logs over to a syslog/SIEM, I suspect I will need to
use something like rsyslog - correct?

Thanks in advance for any help or advice

A_Schulze · June 15, 2016, 10:29am

j dubbz via Unbound-users:

- I suppose this might be determined by the log verbosity, so with
verbosity: 1 or verbosity: 3, etc.. how does this come into play?

we use
   do-daemonize: no
   logfile: ""
   log-queries: yes
   val-log-level: 2

that let unbound log the queries on stdout which is fine for our low volume.
We run unbound supervised by cr.yp.to/daemontools.html. There stdout of one process is feed into
a separate, other process "multilog". That one is configured to write logs of fixed size and number
to /dev/shm. So we have a small ammount of "the current and last queries" accessible.

Andreas