Getting Data In

How do you monitor IBM VIOS ?

edoardo_vicendo
Contributor

Hello,

We have IBM VIOS servers running AIX and we need to monitor them, mainly in term of Security.

Is there anyone having experience on that? Did you installed a Splunk Universal Forwarder or are you sending data out via syslog?

Thanks a lot,

Edoardo

Labels (4)

DuieOlson
Engager

Hello @edoardo_vicendo,

We have been venturing into the world of VIOS to Splunk ourselves.  VIOS is an animal all on its own.  We can tailor these 'appliances' any way we choose from a logging and monitoring perspective.  We don't mess with the O/S or the base purpose of the appliance,  which is virtualizing Ethernet and physical I/O Adapters.  Since we drive off NMON which is base O/S code, we won't break anything on an upgrade. NMON has been around for decades.
Using Metricator for nmon, and the Splunk Universal Forwarder, we are able to get our VIOS data into a Splunk index and the Metricator dashboards come to life!  It's a beautiful thing!  We have 36 VIOS in our IBM i footprint to install.  We have over 100 to do including the IBM z mainframe as well.  If we get it working for one, we can easily install it on all of them relatively quick.

@guilmxm has done a fabulous job!

We had to work with our internal Splunk team that understood the forwarder part as well as understood all the Addon install and configuration steps.   

The our VIOS admins then installed the forwarder and configured the nmon collection scripts and the setup of the /etc/inittab to start it all up on IPL.

I've been digging into the dashboards and finding all the data, deciding what I wanted monitored and alerted and what reporting I may want.

Only drawback I have found to date is this:

The capture of the virtual I/O adapter info is not collected or sent to Splunk to show what system virtually is using what physical adapter.   

But overall, this is way better than staring at an AIX command prompted NMON screen.

Next steps will be syslogs for auditing as well.  But we are walking before running.

Cheers!

Tags (3)

inventsekar
SplunkTrust
SplunkTrust

Hi @edoardo_vicendo as per my understanding, AIX should be fine to install a UF and pull logs. 

 

as this post is from 2019 and it also suggests the UF installation procedure of .TAR file..

https://community.splunk.com/t5/Getting-Data-In/What-is-the-Splunk-forwarder-installation-procedure-...

 

so, i would suggest you to have a test box with AIX with IBM VIOS and install UF thru .tar format and try to send out security logs. it should be fine, it may give some issues, but it should not trouble you much. 

if these things didnt work out, then, syslog is your friend(ours as well)

 

best regards, 

Sekar

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !

isoutamo
SplunkTrust
SplunkTrust

Hi

as VIOS is special kind of appliance type of AIX instance I also suppose @tscroggins way to use syslog as a standard way to get those event's out of it. To installing anything other than IBM have approved to this instance probably broken it later (e.g. in update) and then you need to rebuild it and hope that this haven't generated too much issues to real AIX instances on those boxes.

r. Ismo

tscroggins
Influencer

In past environments, I did not install the UF on VIOS partitions; however, your IBM and Splunk sales engineers may have suggestions. I had the convenience of the Tivoli suite for infrastructure monitoring. You may need to engage IBM support to configure syslog forwarding in a "supported" manner. As an IBM customer, I'm sure you're familiar with the machinations necessary to keep Big Blue happy. 😉

Get Updates on the Splunk Community!

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...

Observability protocols to know about

Observability protocols define the specifications or formats for collecting, encoding, transporting, and ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...