Monitoring Palo alto networks firewalls with ELK

Hi dear community,
I have been following a blog to create Dashboards for Palo alto networks firewalls and good progress has been made. The blog post that has been used is

We have successfully replicated the dashboards to the extent we want. However, we have some challenges with Timelion filters or query.

In order to create a more complex query to for example show allowed and dropped traffic and furthermore drill down at department level, how can this query be applied in kibana under timelion? We are using

.es(q=action:drop).lines(fill=2).color(red).label("Dropped traffic today")

which works, however, as soon as we try adding (q=action:drop or allow and user:someuser) the console returns errors. We have also tried using (q=action:drop or action:allow and department:somedepartment)

Is there any detailed description and instructions with regards to use of timelion besides https://www.elastic.co/blog/timelion-tutorial-from-zero-to-hero or https://www.elastic.co/guide/en/kibana/current/timelion.html, none of which show any complex queries on the data. May be we are just over complicating and this is not the intended usage of Timelion? Will greatly appreciate any advice or guidance. Thanking you in advance, and thank you much for such a great product i.e. ELK stack :slight_smile:

BR,
Rune

Hi @zkhanfur
the timelion blogpost https://www.elastic.co/blog/timelion-tutorial-from-zero-to-hero shows that the query use the query dsl mini-language: https://www.elastic.co/guide/en/elasticsearch/reference/current/query-dsl-query-string-query.html#query-string-syntax

in your case the query can be written as q="action:(drop OR allow) AND user:someuser" using the quotation marks and the parenthesis where needed.

Hi Markov00, Thank you Soooooo much. I do not know how I missed this, I guess I just was not trying hard enough. Thanks for point this out and also for providing and example that works. Many thanks.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.