Getting Data In

Send Mainframe logs to Splunk?

jfeitosa
Path Finder

Dear,

I ask you guys for help on how to send Mainframe logs to Splunk?
What events are more important collect the PCI-DSS scope?

Thanks!

Tags (1)

kellgon
Engager

There are multiple commercial options significantly better than IBM's CDPz which often fails to send the data to Splunk in real-time. For many security operations centers, this real-time aspect is absolutely vital, especially when you consider how destructive some malware can be like wannacry and notpetya.

If you are looking for this complete solution, I recommend taking a look at BMC's AMI For Security https://www.bmc.com/it-solutions/ami-mainframe-security.html

The three best things about this product are:

1 - The out of the box solution you are looking for
2 - The multivariate correlation server in the command center that can do most of the analysis that splunk would do. By analyzing the data early, you only send the important alert information into Splunk and can significantly lower Splunk's overall bill.
3 - Captures significantly more data around Db2, IMS, and zVM than CDPz

tldenney
Path Finder

IBM Common Data Provider for z Systems (CDPz) is the best option for sending Mainframe logs to Splunk.

CDPz can send a wide variety of data including 140 data sources and 100+ SMF record types. More specifically, CDPz can support the following:

• SMF records
• SYSLOG (IBM z/OS System Log and USS SyslogD)
• JOBLOGs
• Application logs (IBM CICS Transaction Server logs and IBM WebSphere Application Server logs)

CDPz also has advanced filtering capabilities including RegEx and time filtering that can be set up using the built-in web configuration tool shown below.

alt text

More information on IBM Common Data Provider for z Systems can be found directly on Splunkbase.

lihmwang
Engager

This is a good news! It gives a gold standard way to feed mainframe system insightful data to Splunk at the lowest cost.

0 Karma

tldenney
Path Finder

The following Splunk Blog outlines how Splunk and IBM are partnering to help customers integrate IBM Z (Mainframe) Data and Insights into Splunk software:

https://www.splunk.com/blog/2017/08/22/insane-in-the-mainframe-splunk-and-ibm-partner-to-provide-end...

0 Karma

jfeitosa
Path Finder

Yes, the Ironstream is a commerical application and very expensive! I requested a commercial proposal and it was not viable.

0 Karma

tldenney
Path Finder

IBM Common Data Provider is a much less expensive option for forwarding mainframe data to Splunk. IBM Common Data Provider has a fixed, one-time-charge pricing model instead of a volume-based pricing model.

rhianbai
New Member

hello, currently Splunk does not have a way to natively inject mainframe logs, there is alot of good information on a product called Ironstream from Syncsort.

http://www.splunk.com/view/splunk-and-syncsort-alliance-delivers-machine-data-insights-from-mainfram...

0 Karma

Tejkumar451
Explorer

I guess syncsort Ironstream isnt free... Is my understanding correct?

0 Karma

gjanders
SplunkTrust
SplunkTrust

Syncsort Ironstream is a commerical application, so no it is not free.

Alerts for Splunk Admins https://splunkbase.splunk.com/app/3796/
Version Control for Splunk https://splunkbase.splunk.com/app/4355/
0 Karma

jfeitosa
Path Finder

I got through script to collect login failure events in RACF and send via SFTP to Splunk in the same script.

0 Karma

gjanders
SplunkTrust
SplunkTrust

In addition to this some other alternatives are listed in this thread

Alerts for Splunk Admins https://splunkbase.splunk.com/app/3796/
Version Control for Splunk https://splunkbase.splunk.com/app/4355/
0 Karma

Tejkumar451
Explorer

Thanks for the reply guys, will have a look at it

0 Karma

Tejkumar451
Explorer

Thanks for the reply!! Can you suggest some ideas as on how to get the mainframes data into splunk.

0 Karma

StephenIves
New Member

Would it be possible to simply FTP (or use an FTP-like product) the files we are interested in from the Mainframe to our Splunk server and then set up an automatic import of those files into Splunk?

0 Karma

jfeitosa
Path Finder

Dear,

Has anyone used the IBM zSecure installed on Mainframe to collect and send the SMF events to Splunk?

You must perform the parsing too, it is very complex to do this?

Thanks.

0 Karma

Tejkumar451
Explorer

@jfeitosa can you let us know if you have used Ironstream or someother 3rd party tools to get the data into splunk. Even I have the same requirement now and need to finalize and work on it

0 Karma

jfeitosa
Path Finder

Thanks rhianbai for the reply. Is there any other way without having to use another tool pays?

Tks

0 Karma

rhianbai
New Member

currently that I know of there is not a way to do that. I had a customer that wanted some information about this subject and the only solutions we found were from IBM and Syncsort.

0 Karma

jfeitosa
Path Finder

Hello, I've been checking is at the solution of Syncsort is that the best delivery.
But there is a solution of MSCS Brazilian company, which also got an integration with Mainframe.
http://www.mscs-x.com.br/en/3xsecurity.html

0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!