Re: Send Mainframe logs to Splunk?

jfeitosa · ‎01-06-2015

Dear,

I ask you guys for help on how to send Mainframe logs to Splunk?
What events are more important collect the PCI-DSS scope?

Thanks!

kellgon · ‎04-17-2019

There are multiple commercial options significantly better than IBM's CDPz which often fails to send the data to Splunk in real-time. For many security operations centers, this real-time aspect is absolutely vital, especially when you consider how destructive some malware can be like wannacry and notpetya.

If you are looking for this complete solution, I recommend taking a look at BMC's AMI For Security https://www.bmc.com/it-solutions/ami-mainframe-security.html

The three best things about this product are:

1 - The out of the box solution you are looking for
2 - The multivariate correlation server in the command center that can do most of the analysis that splunk would do. By analyzing the data early, you only send the important alert information into Splunk and can significantly lower Splunk's overall bill.
3 - Captures significantly more data around Db2, IMS, and zVM than CDPz

tldenney · ‎06-29-2017

IBM Common Data Provider for z Systems (CDPz) is the best option for sending Mainframe logs to Splunk.

CDPz can send a wide variety of data including 140 data sources and 100+ SMF record types. More specifically, CDPz can support the following:

• SMF records
• SYSLOG (IBM z/OS System Log and USS SyslogD)
• JOBLOGs
• Application logs (IBM CICS Transaction Server logs and IBM WebSphere Application Server logs)

CDPz also has advanced filtering capabilities including RegEx and time filtering that can be set up using the built-in web configuration tool shown below.

More information on IBM Common Data Provider for z Systems can be found directly on Splunkbase.

lihmwang · ‎06-30-2017

This is a good news! It gives a gold standard way to feed mainframe system insightful data to Splunk at the lowest cost.

tldenney · ‎09-20-2017

The following Splunk Blog outlines how Splunk and IBM are partnering to help customers integrate IBM Z (Mainframe) Data and Insights into Splunk software:

https://www.splunk.com/blog/2017/08/22/insane-in-the-mainframe-splunk-and-ibm-partner-to-provide-end...

jfeitosa · ‎02-14-2017

Yes, the Ironstream is a commerical application and very expensive! I requested a commercial proposal and it was not viable.

tldenney · ‎06-30-2017

IBM Common Data Provider is a much less expensive option for forwarding mainframe data to Splunk. IBM Common Data Provider has a fixed, one-time-charge pricing model instead of a volume-based pricing model.

rhianbai · ‎01-06-2015

hello, currently Splunk does not have a way to natively inject mainframe logs, there is alot of good information on a product called Ironstream from Syncsort.

http://www.splunk.com/view/splunk-and-syncsort-alliance-delivers-machine-data-insights-from-mainfram...

Tejkumar451 · ‎02-13-2017

I guess syncsort Ironstream isnt free... Is my understanding correct?

gjanders · ‎02-13-2017

Syncsort Ironstream is a commerical application, so no it is not free.

-
Alerts for Splunk Admins, Version Control for Splunk, Decrypt2 VersionControl For SplunkCloud

jfeitosa · ‎02-14-2017

I got through script to collect login failure events in RACF and send via SFTP to Splunk in the same script.

gjanders · ‎02-14-2017

In addition to this some other alternatives are listed in this thread

-
Alerts for Splunk Admins, Version Control for Splunk, Decrypt2 VersionControl For SplunkCloud

Tejkumar451 · ‎02-14-2017

Thanks for the reply guys, will have a look at it

Tejkumar451 · ‎02-14-2017

Thanks for the reply!! Can you suggest some ideas as on how to get the mainframes data into splunk.

StephenIves · ‎03-30-2015

Would it be possible to simply FTP (or use an FTP-like product) the files we are interested in from the Mainframe to our Splunk server and then set up an automatic import of those files into Splunk?

jfeitosa · ‎07-21-2015

Dear,

Has anyone used the IBM zSecure installed on Mainframe to collect and send the SMF events to Splunk?

You must perform the parsing too, it is very complex to do this?

Thanks.

Tejkumar451 · ‎02-13-2017

@jfeitosa can you let us know if you have used Ironstream or someother 3rd party tools to get the data into splunk. Even I have the same requirement now and need to finalize and work on it

jfeitosa · ‎01-06-2015

Thanks rhianbai for the reply. Is there any other way without having to use another tool pays?

Tks

rhianbai · ‎01-06-2015

currently that I know of there is not a way to do that. I had a customer that wanted some information about this subject and the only solutions we found were from IBM and Syncsort.

jfeitosa · ‎01-07-2015

Hello, I've been checking is at the solution of Syncsort is that the best delivery.
But there is a solution of MSCS Brazilian company, which also got an integration with Mainframe.
http://www.mscs-x.com.br/en/3xsecurity.html

Send Mainframe logs to Splunk?

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?