As you can see, there are multiple entries for broadcast MACs. I do not want to log these. So, I set out on what would become a two-hour adventure on rsyslog and conditional filtering.
First, I discovered that Ubuntu uses rsyslog rather than the older syslog. Essentially, what I wanted to do was send all events to an ELA manager except for the broadcast and multicast messages (note: this computer is not for web browsing. If yours is, you will want to filter out web traffic as well or risk seeing millions of messages).
Before sending all of my information to an ELA Server (I remembered what happened last time I did that), I needed a way to see what messages would be sent and filtered. Enter "xconsole." Xconsole allows you to view messages that are being sent to the console. To run it, open up a command prompt and type:
This will open the console window. Leave this open while testing.
Ubunut stores its rsyslog settings in two places. The first is rsyslog.conf which is stored in /etc. However, it references/includes a file "50-default.conf" which is stored in /etc/rsyslog.d. To open that file and begin our edits type this in a command prompt (open a new command prompt tab so we don't close the xconsole)
sudo gedit /etc/rsyslog.d/50-default.conf
This will open a text editor. This file originally looks like this:
#Test logging to temp log
#LOG to remote host ELA
# Default rules for rsyslog.
# For more information see rsyslog.conf(5) and /etc/rsyslog.conf
# First some standard log files. Log by facility.
# Logging for the mail system. Split it up so that
# it is easy to write scripts to parse these files.
# Logging for INN news system.
# Some "catch-all" log files.
# news.none;mail.none -/var/log/debug
# mail,news.none -/var/log/messages
# Emergencies are sent to everybody logged in.
# I like to have messages displayed on the console, but only on a virtual
# console I usually leave idle.
# *.=notice;*.=warn /dev/tty8
# The named pipe /dev/xconsole is for the `xconsole' utility. To use it,
# you must invoke `xconsole' with the `-file' option:
# $ xconsole -file /dev/xconsole [...]
# NOTE: adjust the list below, or you'll go crazy if you have a reasonably
# busy site..
This is the original file. We are going to be adding all of our rules to the top. Here are the edits I made to the file. These edits drop all messages matching a rule before logging them.
#Test logging to console with /dev/console.
#Then open CLI and do sudo xconsole to watch output
#Drop all packets containing information matching below. Then write.
:msg, contains, "DST=10.10.92.255"
:msg, contains, "DST=255.255.255.255"
:msg, contains, "DST=22.214.171.124"
#LOG to remote host ELA
The line for logging to the ELA can be commented out while you test this. The line with /dev/console will write to the xconsole window. Now we need to save it and restart the service. Save the file in the text editor, exit, and then issue:
sudo service rsyslog restart
That will begin throwing messages to your xconsole. If it works, you can comment out that line and then send the messages just to the ELA.
Here are some links that were used as sources. However, I wrote this post because none of the sources I found addressed multiple rules directly.