Blocking Queries
When necessary, LogScale can be configured to prevent queries from executing. There are many scenarios in which one might consider blocking a query or a pattern that matches many queries. For instance, a query pattern may use a large portion of the system's resources. Or a particular query is known to be used for malicious purposes (e.g., searching for secure secrets). Or it may be that a log line contains information that should never want searched.
Blocks can be added by defining the following conditions:
Based on a regular expression using the standard LogScale regular expression mechanics
Based on an exact matching query, explicitly matching the defined string.
Either against a specific Repository or all repositories.
Figure 34. Organization Query Administration Blocklist
The list of currently blocked queries is shown in the
Blocklist
page and includes the following information:
Pattern
The string or regular expression of the query that is blocked.
Type
Whether the block is based on an
Exact Match
orRegular Expression
.Expires
When the block expires.
Repository or view
The view(s) or repositories to which the block applies.
Enforcement level
Whether the block applies only to specific views or repositories, or if it applies to the whole organization.
Removing or Unblocking an Existing Block
The
Blocklist
display shows the current list of configured query blocks for your
organization.
To remove or unblock a previously blocked query:
Go to the
Blocklist
page.Select the query that you want to unblock.
Click
button next to the query entry.
A message will be shown to say the block has been removed.