topic processing of Mainframe logs in Knowledge Management

processing of Mainframe logs

aoates — Sat, 08 May 2010 03:19:50 GMT

the logs we're interested in from the mainframe are from java WebSphere applications running on Z/os. They're in ascii already. For us to make a pitch for splunk we'd need to demonstrate that we can get the near real-time forwarding of this data to Splunk. I see you have forwarders compiled for most operating systems. If we could get a version compiled under Unix System Services on Z/os for us, that is something we could run in the same way that, if I understand correctly, log data is normally fed to splunk. We have access to compilers on Z if that would help.

We're not running Linux on Z, but WebSphere is running within something called Unix System Services (USS), which, as you can guess, provides a linux-like environment. Including a compiler.

The batch approach would work, but wouldn't be an effective pitch. All of the log data we're currently interested in is traditional ascii data which happens to be generated on mainframe regions.

Re: processing of Mainframe logs

Simeon — Sat, 08 May 2010 03:23:47 GMT

Is this a question about a custom build or if Splunk can eat mainframe logs? I'm pretty sure it will eat mainframe logs.

Re: processing of Mainframe logs

jrodman — Sat, 08 May 2010 03:47:00 GMT

There's no Splunk currently for Linux on the 390 arch in any event, at this time. Last I looked into this there was the core execution environment, as well as an ancillary environment of Linux on PPC, which we also don't supply binaries for.

So how do you deliver data in realtime to Splunk without a Splunk fowarder? There's a variety of options:

Send the data over syslog to splunk directly
send the data via syslog or another network transport to an agent writing a live file that splunk is monitoring (even this can get latency within a few seconds)
open a simple tcp socket and simply send the data to splunkd this way, probably a socket specifically configured to accept and split your data format
Provide access to the log files over NFS (or CIFS, or some other remote FS your environment can handle) and monitor them remotely

Re: processing of Mainframe logs

aoates — Wed, 12 May 2010 00:59:40 GMT

What we were actually trying to look at was standing up a forwarding Agent on z/OS (not zLinux), and how we would go about that. Anything else is imperfect at best for a long term solution. Mounting what is needed via NFS is not really a feasible or timely solution. Thats a project in and of itself, as our z/OS OS team isn't where they need to be to even begin that process, there is network firewall issues. Basically, we are talking atleast 3-6 months, and multiple teams involved.

But perhaps if you could enlighten me, who has worked on z/OS platform for 24+ years, primarily as a Sysprog, but also as WAS admin/support (since its been on the platform), USS admin etc, how we can "Send the data over syslog to Splunk directly " because that makes no technical sense to me, or how we can "open a simple tcp socket and simply send the data to Splunk this way, probably a socket specifically configured to accept and split your data format " without writing code.

Our hopes were that there was a forwarding agent binaries for execution on z/OS directly, or in USS of z/OS. Barring that, was attempting to get agent source and compile it to run in either. Without that, it means the creation of something, be it our own version of a forwarding agent, or some transfer agent to a forwarding agent.

Re: processing of Mainframe logs

nwagner — Sat, 13 Nov 2010 23:36:13 GMT

I'm a z/OS Systems Programmer and was looking for a solution for this. After some extensive reseach I found that there is a third party product that is doing exactly what you need.

Quote from their webpage: "Type80 Syslog for z/OS enables extension of all mainframe console messages and write-to-operator messages to be routed to external log retention servers using the standard TCP/IP Syslog protocol".

More info here: http://www.type80.com/products_syslog.htm

I'm still trying to find something that is free.

Re: processing of Mainframe logs

dwaddle — Wed, 08 Jun 2011 22:43:33 GMT

There's (at least) three different System Z targets, besides Linux-on-PPC which is (I think) a different beast altogether. There's Linux-on-s390 (which really is Linux compiled for the s390 arch - usually running as a virtual machine under z/VM). And there's also z/OS (the latest incarnation of OS/390 previous MVS) and z/OS Unix System Services. Unix System Services provides a POSIX userspace, hierarchial filesystem and syscall/libc environment as part of z/OS.

Re: processing of Mainframe logs

BruceGee — Wed, 30 Jan 2013 13:58:50 GMT

Can I perhaps spur an answer to your question with a question?

Are there exposed Web Services available in SPLUNK?
If so can one not talk directly to SPLUNK using MQI or Websphere from the Z/OS mainframe?

Part two of the question:

How much effort would it take to write a forwarder for Z/OS?

Re: processing of Mainframe logs

pogdin — Thu, 17 Dec 2015 21:06:56 GMT

There is a fully supported s390x Universal Forwarder on the Splunk forwarder download page under Linux in tgz and rpm format:

http://www.splunk.com/en_us/download/universal-forwarder.html

Re: processing of Mainframe logs

tex_walks — Tue, 19 Dec 2017 22:15:09 GMT

Have you had a look at Ironstream by Syncsort? Their tool works like a forwarder and can send data from the mainframe to Splunk.
https://www.syncsort.com/en/Products/Mainframe/Ironstream