0

My router broadcasts (sends to 224.0.0.1) something every forty seconds. This is caught by UFW which stores a log entry in syslog:

Jan 5 03:49:02 log kernel: [ 1184.788900] [UFW BLOCK] IN=eth0 OUT= MAC=01:00:5e:00:00:01:40:5a:9b:5c:9c:fd:08:00 SRC=192.168.1.1 DST=224.0.0.1 LEN=32 TOS=0x00 PREC=0x80 TTL=1 ID=0 DF PROTO=2

I am about to set up a syslog server which will collect messages from each of network's 50 machines. Polluting the syslog with 50 messages every forty seconds annoys me, and the router itself is unfortunately not configurable.

Is there a way to prevent those particular messages (filtered by source and destination) to be logged, while still logging other entries which are blocked by the firewall?

Arseni Mourzenko
  • 2,275
  • 5
  • 28
  • 41

3 Answers3

2

Yes.

  1. For rsyslog, you can use a filter such as:

    :msg, contains, "MAC=01:00:5e:00:00:01:40:5a:9b:5c:9c:fd:08:00 SRC=192.168.1.1 D ST=224.0.0.1" ~

    If you put it before other configuration rules, it will prevent the messages from being logged. You can see a full example of a configuration file here.

    Note that the text “must be an exact match, wildcards are not supported.

  2. For syslog-ng, use some variation of the filters, with a not message('someregex') in your filter.

Arseni Mourzenko
  • 2,275
  • 5
  • 28
  • 41
Craig Miskell
  • 4,216
  • 1
  • 16
  • 16
  • Great, thank you. Note that link-only answers are often downvoted and removed on Stack Exchange; I edited yours to provide information directly in the answer. – Arseni Mourzenko Jan 05 '15 at 05:18
1

Rather than disabling logging, which only fixes the symptom, you should investigate the cause of the firewall triggering. In your case, your router is sending IGMP packets, which are necessary for IPv4 multicast to work (even if you don't have any multicast routing in your network, firewalling IGMP will break link-local multicast if you have any snooping switches).

Please check whether you are running any applications that rely on IPv4 multicast, and consider allowing protocol 2 through your firewall.

jch
  • 470
  • 2
  • 8
0

You can also set a rule in ufw to drop these messages like sudo ufw reject from any to 224.0.0.1, or more likely, if you are already having a set of rules, you can insert it with sudo ufw insert [rule no.] reject from any to 224.0.0.1.

JP Satrio
  • 1
  • 1