I ask you guys for help on how to send Mainframe logs to Splunk?
What events are more important collect the PCI-DSS scope?
There are multiple commercial options significantly better than IBM's CDPz which often fails to send the data to Splunk in real-time. For many security operations centers, this real-time aspect is absolutely vital, especially when you consider how destructive some malware can be like wannacry and notpetya.
If you are looking for this complete solution, I recommend taking a look at BMC's AMI For Security https://www.bmc.com/it-solutions/ami-mainframe-security.html
The three best things about this product are:
1 - The out of the box solution you are looking for
2 - The multivariate correlation server in the command center that can do most of the analysis that splunk would do. By analyzing the data early, you only send the important alert information into Splunk and can significantly lower Splunk's overall bill.
3 - Captures significantly more data around Db2, IMS, and zVM than CDPz
IBM Common Data Provider for z Systems (CDPz) is the best option for sending Mainframe logs to Splunk.
CDPz can send a wide variety of data including 140 data sources and 100+ SMF record types. More specifically, CDPz can support the following:
• SMF records
• SYSLOG (IBM z/OS System Log and USS SyslogD)
• Application logs (IBM CICS Transaction Server logs and IBM WebSphere Application Server logs)
CDPz also has advanced filtering capabilities including RegEx and time filtering that can be set up using the built-in web configuration tool shown below.
More information on IBM Common Data Provider for z Systems can be found directly on Splunkbase.
The following Splunk Blog outlines how Splunk and IBM are partnering to help customers integrate IBM Z (Mainframe) Data and Insights into Splunk software:
IBM Common Data Provider is a much less expensive option for forwarding mainframe data to Splunk. IBM Common Data Provider has a fixed, one-time-charge pricing model instead of a volume-based pricing model.
hello, currently Splunk does not have a way to natively inject mainframe logs, there is alot of good information on a product called Ironstream from Syncsort.
Syncsort Ironstream is a commerical application, so no it is not free.
In addition to this some other alternatives are listed in this thread
Would it be possible to simply FTP (or use an FTP-like product) the files we are interested in from the Mainframe to our Splunk server and then set up an automatic import of those files into Splunk?
@jfeitosa can you let us know if you have used Ironstream or someother 3rd party tools to get the data into splunk. Even I have the same requirement now and need to finalize and work on it
Hello, I've been checking is at the solution of Syncsort is that the best delivery.
But there is a solution of MSCS Brazilian company, which also got an integration with Mainframe.