How do I watch and interpret the pihole.log file?

Use this command to watch the log file in real time:

pihole -t

which is just a short version of sudo tail -F /var/log/pihole.log

You can also do it on the web interface:

When your Pi-hole first starts up, it will read your hosts file as well as /etc/pihole/gravity.list, which is where your list of ad-serving domains is. So one of the first log entries will read like this:

Nov 13 07:45:04 dnsmasq[1055]: read /etc/hosts - 5 addresses
Nov 13 07:45:06 dnsmasq[1055]: read /etc/pihole/gravity.list - 66925 addresses

Next, you might see a query line, which is a computer asking where they can find a certain domain. For instance

Nov  4 07:28:53 dnsmasq[1045]: query[A] ntp.ubuntu.com from 192.168.1.52

So the log file shows the date, the process (dnsmasq): what the action was–an IPv4 [A] query for ntp.ubuntu.com and who it came from–someone with the IP address 192.168.1.52. If you have IPv6 enabled, you will all see query[AAAA] entries.

If the domain requested is not in the list of ad domains, it is sent to an upstream DNS server. So in this example, ntp.ubuntu.com is not an ad-serving domain, so the request is sent to Google’s DNS server to find out where it is.

Nov  4 07:28:53 dnsmasq[1045]: forwarded ntp.ubuntu.com to 8.8.4.4

Once it finds out where it is, a reply is sent to the client with the IP address

Nov  4 07:28:53 dnsmasq[1045]: reply ntp.ubuntu.com is 91.189.89.199

Next, you may want to know when an ad domain is queried. Look for /etc/pihole/gravity.list in the log file. You will see the log entry is structured the same, but the hosts file where the domain was found in is listed and then it points to your Pi’s IP address (192.168.1.20 in this example).

Nov  4 14:13:23 dnsmasq[1045]: /etc/pihole/gravity.list doubleclick.com is 192.168.1.200
4 Likes