Security Requirements and Controls
LogScale has the ability to pause ingestion of data into a repository when needed.
There are a few reasons to consider blocking ingest include:
the data arriving is corrupt or otherwise causing problems.
to prevent new data from arriving before you update the parser syntax.
in the case of a cluster, you may want to do this if the volume of data arriving is overwhelming your current cluster size. You'd disable it until you have time to resolve the problem.
Blocking and Unblocking Ingestion
Ingest can be blocked and unblocked for the user interface. There you can specify how long you'd like to prevent new events from being ingested for this repository.
Figure 95. Blocking Ingest-Settings
The Block Ingest page enables you to temporarily block ingestion for a short period of time, after which it will be re-enabled. This can be useful in a variety of situations where the level of ingestion and activity are causing performance or reporting problems.
Select a repository from the repositories and views page and click Settings on the menu.
Click Ingest under Block ingest.
Select the interval of time for which to block ingest and clickor Click to restart ingestion.
If you are using a log shipper, once ingestion is enabled they can reconnect and continue sending the logs so that events are not lost.
For more information, see Disabling Ingestion.
If successful, you will see a notice:
Figure 96. Blocking Ingest
When the duration of the block expires ingest is re-enabled. The maximum duration allowed is one year.
When you block ingest, all sockets opened for ingest into this repository are closed and not re-opened until the block has expired or been removed by hand. Most log shippers will simply queue up the log records when they can't deliver them and then when the connection is re-opened they will ship all the missing data as well as new data from that point on.