What is the trigger for the event of block-writing in index

What is the trigger for this event? “varnish-2021.11.04” is a daily index.

  "_index": "security-auditlog-2021.11.05",
  "_type": "_doc",
  "_id": "iX1p7XwBGyDtKWxWuphB",
  "_version": 1,
  "_score": null,
  "_source": {
    "audit_cluster_name": "logs-corporativos",
    "audit_node_name": "logs-corporativos-data-2",
    "audit_trace_task_id": "Zhsfg1KZQCOHLRdsFFz63g:91315701",
    "audit_transport_request_type": "UpdateSettingsRequest",
    "audit_category": "INDEX_EVENT",
    "audit_request_origin": "LOCAL",
    "audit_request_body": "{\"index\":{\"blocks\":{\"write\":\"true\"}}}",
    "audit_node_id": "Zhsfg1KZQCOHLRdsFFz63g",
    "audit_request_layer": "TRANSPORT",
    "@timestamp": "2021-11-05T00:05:01.632+00:00",
    "audit_format_version": 4,
    "audit_request_privilege": "indices:admin/settings/update",
    "audit_node_host_address": "",
    "audit_request_effective_user": "plugin",
    "audit_trace_indices": [
    "audit_trace_resolved_indices": [
    "audit_node_host_name": ""
  "fields": {
    "@timestamp": [


Moving over to the ‘Security’ category

@pablo @Anthony - would you be able to take a look at this?

The trigger could be the disk utilization falling below the high watermark
See further details here

1 Like

Thanks for the answer @Anthony. After further investigation I found the problem. It was my ISM Policy. It had forceMerge configured. The index got write disabled and there were events coming and trying to write do that D-1 (day before) index.

After some research I fixed the problem of writing to D-1 index my logstashes got avaiable again to process new events instead of blocking on write disabled index.