What is the most convenient way for logging request including client source address?

iman_Khosravi · November 13, 2016, 11:43am

Hi all

I’m looking for a way to get detail logging from Unbound with less impact on the performance of our servers.
I searched around and it seems both unbound itself and other third party modules like Dnstap is capable of logging request/reply with client source address.
It seems using verbosity of 5 for getting client source address put pressure on unbound performance as i see its some kind of logging information specified as Debug in log files and i got many other thinks that I’m not interested in.
About Dnstap, I’m not sure if it’s still an active project and i could use it with latest Unbound release with confidence.

Do you have any idea about this topic?

Thanks in advance

Benno · November 14, 2016, 6:31am

Hi,

Thanks for your feedback and question.

dnstap is indeed a good candidate for detailed logging of Unbound and offloads the Unbound server in case of high-load. dnstap is open source and is maintained by Farsight Security. It is actively supported, but the code itself is in good shape and you might not see recent changes in the GitHub repository.

Best regards,

— Benno

iman_Khosravi · November 14, 2016, 7:51am

Hi Benno
Thanks for your hints. Actually I was a little bit uncertain about it’s activity as i didn’t see any commits in past year.
Anyway i will try Dnstap and inform you about the results.

Thanks again

Paul_Vixie · November 14, 2016, 7:56am

if anyone tries dnstap and encounters any trouble, please reach out to
me. it is farsight's goal to push this bsd-licensed open source
technology into the community and to make it easier for all operators to
see in real time what their name servers are doing.

iman_Khosravi · November 14, 2016, 8:18am

Hi Paul,

Thanks,I will inform you about the results.

Tony_Finch · November 14, 2016, 12:01pm

Do you have any tools for taking a full dnstap feed and fanning out
filtered versions to multiple consumers? How about fan-in from multiple
servers?

Tony.

Paul_Vixie · November 15, 2016, 12:00am

Tony Finch wrote:

Wouter · November 21, 2016, 10:48am

Hi Iman,

Hi all

I'm looking for a way to get detail logging from Unbound with less
impact on the performance of our servers.
I searched around and it seems both unbound itself and other third party
modules like Dnstap is capable of logging request/reply with client
source address.
It seems using verbosity of 5 for getting client source address put
pressure on unbound performance as i see its some kind of logging
information specified as Debug in log files and i got many other thinks
that I'm not interested in.

The option log-queries: yes logs the query name and IP address to the
logs and does not have the debug overhead that verbosity 5 has. It does
not log in more detail, something for which dnstap is good. For
lightweight, just query names and IP addresses the log-queries option is
an easy way to log it.

local-zone type inform will also log the querier for a smaller, select,
part of the namespace. Use this if you want to have even less log
messages, only for specific names (and specific suffixes).

Best regards, Wouter