Knowledge Management

processing of Mainframe logs

aoates
Splunk Employee
Splunk Employee

the logs we're interested in from the mainframe are from java WebSphere applications running on Z/os.  They're in ascii already.  For us to make a pitch for splunk we'd need to demonstrate that we can get the near real-time forwarding of this data to Splunk.  I see you have forwarders compiled for most operating systems.  If we could get a version compiled under Unix System Services on Z/os for us, that is something we could run in the same way that, if I understand correctly, log data is normally fed to splunk.  We have access to compilers on Z if that would help.

We're not running Linux on Z, but WebSphere is running within something called Unix System Services (USS), which, as you can guess, provides a linux-like environment.  Including a compiler. 

The batch approach would work, but wouldn't be an effective pitch.  All of the log data we're currently interested in is traditional ascii data which happens to be generated on mainframe regions.

Tags (1)

tex_walks
New Member

Have you had a look at Ironstream by Syncsort? Their tool works like a forwarder and can send data from the mainframe to Splunk.
https://www.syncsort.com/en/Products/Mainframe/Ironstream

0 Karma

BruceGee
New Member

Can I perhaps spur an answer to your question with a question?

Are there exposed Web Services available in SPLUNK?
If so can one not talk directly to SPLUNK using MQI or Websphere from the Z/OS mainframe?

Part two of the question:

How much effort would it take to write a forwarder for Z/OS?

0 Karma

nwagner
Engager

I'm a z/OS Systems Programmer and was looking for a solution for this. After some extensive reseach I found that there is a third party product that is doing exactly what you need.

Quote from their webpage: "Type80 Syslog for z/OS enables extension of all mainframe console messages and write-to-operator messages to be routed to external log retention servers using the standard TCP/IP Syslog protocol".

More info here: http://www.type80.com/products_syslog.htm

I'm still trying to find something that is free.

jrodman
Splunk Employee
Splunk Employee

There's no Splunk currently for Linux on the 390 arch in any event, at this time. Last I looked into this there was the core execution environment, as well as an ancillary environment of Linux on PPC, which we also don't supply binaries for.

So how do you deliver data in realtime to Splunk without a Splunk fowarder? There's a variety of options:

  • Send the data over syslog to splunk directly
  • send the data via syslog or another network transport to an agent writing a live file that splunk is monitoring (even this can get latency within a few seconds)
  • open a simple tcp socket and simply send the data to splunkd this way, probably a socket specifically configured to accept and split your data format
  • Provide access to the log files over NFS (or CIFS, or some other remote FS your environment can handle) and monitor them remotely

pogdin
Splunk Employee
Splunk Employee

There is a fully supported s390x Universal Forwarder on the Splunk forwarder download page under Linux in tgz and rpm format:

http://www.splunk.com/en_us/download/universal-forwarder.html

0 Karma

dwaddle
SplunkTrust
SplunkTrust

There's (at least) three different System Z targets, besides Linux-on-PPC which is (I think) a different beast altogether. There's Linux-on-s390 (which really is Linux compiled for the s390 arch - usually running as a virtual machine under z/VM). And there's also z/OS (the latest incarnation of OS/390 previous MVS) and z/OS Unix System Services. Unix System Services provides a POSIX userspace, hierarchial filesystem and syscall/libc environment as part of z/OS.

0 Karma

aoates
Splunk Employee
Splunk Employee

What we were actually trying to look at was standing up a forwarding Agent on z/OS (not zLinux), and how we would go about that. Anything else is imperfect at best for a long term solution. Mounting what is needed via NFS is not really a feasible or timely solution. Thats a project in and of itself, as our z/OS OS team isn't where they need to be to even begin that process, there is network firewall issues. Basically, we are talking atleast 3-6 months, and multiple teams involved.

But perhaps if you could enlighten me, who has worked on z/OS platform for 24+ years, primarily as a Sysprog, but also as WAS admin/support (since its been on the platform), USS admin etc, how we can "Send the data over syslog to Splunk directly " because that makes no technical sense to me, or how we can "open a simple tcp socket and simply send the data to Splunk this way, probably a socket specifically configured to accept and split your data format " without writing code.

Our hopes were that there was a forwarding agent binaries for execution on z/OS directly, or in USS of z/OS. Barring that, was attempting to get agent source and compile it to run in either. Without that, it means the creation of something, be it our own version of a forwarding agent, or some transfer agent to a forwarding agent.

0 Karma

Simeon
Splunk Employee
Splunk Employee

Is this a question about a custom build or if Splunk can eat mainframe logs? I'm pretty sure it will eat mainframe logs.

0 Karma
Get Updates on the Splunk Community!

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Deprecation of Splunk Observability Kubernetes “Classic Navigator” UI starting ...

Access to Splunk Observability Kubernetes “Classic Navigator” UI will no longer be available starting January ...

Now Available: Cisco Talos Threat Intelligence Integrations for Splunk Security Cloud ...

At .conf24, we shared that we were in the process of integrating Cisco Talos threat intelligence into Splunk ...