We are running the DNS module on a dedicated box. We have DNS log publisher set to the "local-db-publisher" - however, we are not certain where these logs are located. DNS log queries and log responses are both enabled. I have found some articles that mention that the logs can be found in /var/log/gtm and some that state they are found in /var/log/ltm but the queries and responses are nowhere to be found.
Solved! Go to Solution.
These events will be stored in /var/log based on event type... Posting some document excerpts below, let me know if this helps.
local-syslog Causes the system to store log messages in the local Syslog database. When you choose this log destination, the BIG-IP Configuration utility displays the log messages in these categories: System, Local Traffic, Global Traffic, and Audit.
local-db Causes the system to store log messages in the local MySQL database.
When you choose local-db, the BIG-IP Configuration utility does not display the log messages.
For local log messages that the BIG-IP system stores in the local Syslog data base, the BIG-IP system automatically stores and displays log messages in these categories:
Each type of event is stored locally in a separate log file, and the information stored in each log file varies depending on the event type. All log files for these event types are in the directory /var/log.
GTM is the older product name that was used with older TMOS versions. GTM is the correct logfile in this case. Typically you would not want to log every query/response as it does have performance impact to your system. Configuring BIG-IP DNS to log dns queries and responses (f5.com).
To log query/responses here are some quick instructions extracted from that KB article above:
Creating a custom DNS logging profile for logging DNS queries and responses
Create a custom DNS logging profile to log both DNS queries and responses when troubleshooting a DDoS attack.
Note: Logging both DNS queries and responses has an impact on the BIG-IP system performance.
On the Main tab, click DNS > Delivery > Profiles > Other > DNS Logging or Local Traffic > Profiles > Other > DNS Logging. The DNS Logging profile list screen opens.
Click Create. The New DNS Logging profile screen opens.
In the Name field, type a unique name for the profile.
From the Log Publisher list, select a destination to which the BIG-IP system sends DNS log entries.
For the Log Queries setting, ensure that the Enabled check box is selected, if you want the BIG-IP system to log all DNS queries.
For the Log Responses setting, select the Enabled check box, if you want the BIG-IP system to log all DNS responses.
For the Include Query ID setting, select the Enabled check box, if you want the BIG-IP system to include the query ID sent by the client in the log messages.
This KB was reviewed and each setting was enabled - outside of Include Query ID. We're in the process of cleaning some zones up and are looking to see what zones may still have hits, so we'd want all queries to be logged.
Case logged with support. It DNS logging profile needed to have the log publisher updated to one that has the local-syslog as the destination. Once updated, the query and response logs are logged in /var/log/ltm