Well I’d say DNS is your friend, however if you only want to trace browser usage you will need a proxy with monitoring or correlate all port 80/443 to the DNS requests. You can also log/monitor all GET requests, this is typically browser traffic.
I’m personally going for the DNS approach, since it gives me all outbound traffic in the form of domains rather than URLs. I load those into my ELK stack for monitoring and further processing.
I had looked into this from an unbound perspective, this wasn’t super easy. You’d have to log all queries and ship that to your data lake (plus ingest everything). So I went for the upstream Umbrella (OpenDNS) ingestion pipeline (already in FileBeat).
Be aware that any mapping to IP and IP mapping to users will require their consent. Not sure what unbound logs exactly, but with Umbrella I can aggregate on my internal or external IP.