Blocking Queries
When necessary, LogScale can be configured to prevent queries from executing. There are many scenarios in which one might consider blocking a query or a pattern that matches many queries. For instance, a query pattern may use a large portion of the system's resources. Or a particular query is known to be used for malicious purposes (e.g., searching for secure secrets). Or it may be that a log line contains information that should never want searched.
Blocks can be added by defining the following conditions:
Based on a regular expression using the standard LogScale regular expression mechanics
Based on an exact matching query, explicitly matching the defined string.
Either against a specific Repository or all repositories.
Figure 15. Query Administration Blocklist
The list of currently blocked queries is shown in the
Blocklist
page and includes the following
information:
Pattern
The string or regular expression of the query that is blocked.
Type
Whether the block is based on an
Exact Match
orRegular Expression
.Expires
When the block expires.
View/Repo
The view or repository to which the block applies.