diff --git a/defaults/main.yml b/defaults/main.yml
index c085a504..02aaaa77 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -208,6 +208,7 @@ security_disable_module_usb_storage: no           # V-38490
 # ** DANGER **
 #
 security_sysctl_tcp_syncookies: 1                 # V-38539
+security_sysctl_enable_martian_logging: no        # V-38528
 #
 # Deployers who wish to disable IPv6 entirely must set this configuration
 # variable to 'yes'. See the documentation for V-38546 before making this
diff --git a/doc/source/developer-notes/V-38528.rst b/doc/source/developer-notes/V-38528.rst
index 83b0df9d..9ac26ca2 100644
--- a/doc/source/developer-notes/V-38528.rst
+++ b/doc/source/developer-notes/V-38528.rst
@@ -1,5 +1,22 @@
-The Ansible task in this role will ensure that martian packets are logged to
-rsyslog.  Wikpedia's article on `martian packets`_ provides additional
-information.
+**Exception**
+
+The STIG requires that all martian packets are logged by setting the sysctl
+parameter ``net.ipv4.conf.all.log_martians`` to ``1``.
+
+Although the logs can be valuable in some situations, the setting can generate
+a *significant* amount of logging in OpenStack environments, especially those
+that use neutron's Linux bridge networking. In some situations, the logging can
+flood the physical terminal and make troubleshooting at the console or via out
+of band (like iKVM, DRAC and iLO) **extremely difficult**.
+
+The role will ensure that martian packet logging is disabled by default.
+Deployers that need this logging enabled will need to set the following
+Ansible variable:
+
+.. code-block:: yaml
+
+   security_sysctl_enable_martian_logging: yes
+
+Wikpedia's article on `martian packets`_ provides additional information.
 
 .. _martian packets: https://en.wikipedia.org/wiki/Martian_packet
diff --git a/releasenotes/notes/configurable-martian-logging-370ede40b036db0b.yaml b/releasenotes/notes/configurable-martian-logging-370ede40b036db0b.yaml
new file mode 100644
index 00000000..e55b8e82
--- /dev/null
+++ b/releasenotes/notes/configurable-martian-logging-370ede40b036db0b.yaml
@@ -0,0 +1,13 @@
+---
+features:
+  - |
+    Although the STIG requires martian packets to be logged, the logging is
+    now disabled by default. The logs can quickly fill up a syslog server or
+    make a physical console unusable.
+
+    Deployers that need this logging enabled will need to set the following
+    Ansible variable:
+
+    .. code-block:: yaml
+
+       security_sysctl_enable_martian_logging: yes
diff --git a/tasks/kernel.yml b/tasks/kernel.yml
index fcf45d1c..69d1690d 100644
--- a/tasks/kernel.yml
+++ b/tasks/kernel.yml
@@ -16,7 +16,7 @@
 - name: V-38528 - The system must log martian packets
   sysctl:
     name: net.ipv4.conf.all.log_martians
-    value: 1
+    value: "{{ (security_sysctl_enable_martian_logging | bool) | ternary('1', '0') }}"
     state: present
     sysctl_set: yes
   tags: