diff --git a/roles/unbound/handlers/main.yml b/roles/unbound/handlers/main.yml
index c2efa8f..a619b94 100644
--- a/roles/unbound/handlers/main.yml
+++ b/roles/unbound/handlers/main.yml
@@ -2,3 +2,6 @@
   systemd:
     state: restarted
     name: unbound
+
+- name: read unbound apparmor config
+  command: apparmor_parser -r /etc/apparmor.d/usr.sbin.unbound
diff --git a/roles/unbound/tasks/main.yml b/roles/unbound/tasks/main.yml
index cabae99..ff45ec1 100644
--- a/roles/unbound/tasks/main.yml
+++ b/roles/unbound/tasks/main.yml
@@ -33,6 +33,27 @@
     mode: 0644
   notify: restart unbound
 
+- name: ensure unbound log directory exists
+  file:
+    path: /var/log/unbound
+    state: directory
+    mode: '0755'
+    owner: unbound
+    group: unbound
+
+- name: ask apparmor to allow unbound to write to log file
+  template:
+    src: unbound-apparmor-config
+    dest: /etc/apparmor.d/local/usr.sbin.unbound
+    mode: '0644'
+  notify: read unbound apparmor config
+
+- name: setup unbound log rotation
+  template:
+    src: unbound-logrotate.j2
+    dest: /etc/logrotate.d/unbound
+    mode: 0644
+
 - name: setup recursive DNS server config
   template:
     src: recursive.conf.j2
diff --git a/roles/unbound/templates/recursive.conf.j2 b/roles/unbound/templates/recursive.conf.j2
index a65bd43..b24613f 100644
--- a/roles/unbound/templates/recursive.conf.j2
+++ b/roles/unbound/templates/recursive.conf.j2
@@ -8,8 +8,7 @@ server:
     verbosity: 3
 
     # "" sends logs to stderr, journalctl will pick things up.
-    logfile: ""
-
+    logfile: "/var/log/unbound/unbound.log"
 
     do-ip4: yes
     # FIXME: IPv6 deployment... someday...
diff --git a/roles/unbound/templates/unbound-apparmor-config b/roles/unbound/templates/unbound-apparmor-config
new file mode 100644
index 0000000..f40ee05
--- /dev/null
+++ b/roles/unbound/templates/unbound-apparmor-config
@@ -0,0 +1 @@
+/var/log/unbound/unbound.log rw,
diff --git a/roles/unbound/templates/unbound-logrotate.j2 b/roles/unbound/templates/unbound-logrotate.j2
new file mode 100644
index 0000000..d57e83e
--- /dev/null
+++ b/roles/unbound/templates/unbound-logrotate.j2
@@ -0,0 +1,13 @@
+/var/log/unbound/*.log {
+	daily
+	rotate 30
+	missingok
+	notifempty
+	compress
+	delaycompress
+	sharedscripts
+	create 644
+	postrotate
+		/usr/local/sbin/unbound-control log_reopen
+	endscript
+}