the logs we're interested in from the mainframe are from java WebSphere applications running on Z/os. They're in ascii already. For us to make a pitch for splunk we'd need to demonstrate that we can get the near real-time forwarding of this data to Splunk. I see you have forwarders compiled for most operating systems. If we could get a version compiled under Unix System Services on Z/os for us, that is something we could run in the same way that, if I understand correctly, log data is normally fed to splunk. We have access to compilers on Z if that would help.
We're not running Linux on Z, but WebSphere is running within something called Unix System Services (USS), which, as you can guess, provides a linux-like environment. Including a compiler.
The batch approach would work, but wouldn't be an effective pitch. All of the log data we're currently interested in is traditional ascii data which happens to be generated on mainframe regions.
Can I perhaps spur an answer to your question with a question?
Are there exposed Web Services available in SPLUNK?
If so can one not talk directly to SPLUNK using MQI or Websphere from the Z/OS mainframe?
Part two of the question:
How much effort would it take to write a forwarder for Z/OS?
I'm a z/OS Systems Programmer and was looking for a solution for this. After some extensive reseach I found that there is a third party product that is doing exactly what you need.
Quote from their webpage: "Type80 Syslog for z/OS enables extension of all mainframe console messages and write-to-operator messages to be routed to external log retention servers using the standard TCP/IP Syslog protocol".
More info here: http://www.type80.com/products_syslog.htm
I'm still trying to find something that is free.
There's no Splunk currently for Linux on the 390 arch in any event, at this time. Last I looked into this there was the core execution environment, as well as an ancillary environment of Linux on PPC, which we also don't supply binaries for.
So how do you deliver data in realtime to Splunk without a Splunk fowarder? There's a variety of options:
There's (at least) three different System Z targets, besides Linux-on-PPC which is (I think) a different beast altogether. There's Linux-on-s390 (which really is Linux compiled for the s390 arch - usually running as a virtual machine under z/VM). And there's also z/OS (the latest incarnation of OS/390 previous MVS) and z/OS Unix System Services. Unix System Services provides a POSIX userspace, hierarchial filesystem and syscall/libc environment as part of z/OS.
What we were actually trying to look at was standing up a forwarding Agent on z/OS (not zLinux), and how we would go about that. Anything else is imperfect at best for a long term solution. Mounting what is needed via NFS is not really a feasible or timely solution. Thats a project in and of itself, as our z/OS OS team isn't where they need to be to even begin that process, there is network firewall issues. Basically, we are talking atleast 3-6 months, and multiple teams involved.
But perhaps if you could enlighten me, who has worked on z/OS platform for 24+ years, primarily as a Sysprog, but also as WAS admin/support (since its been on the platform), USS admin etc, how we can "Send the data over syslog to Splunk directly " because that makes no technical sense to me, or how we can "open a simple tcp socket and simply send the data to Splunk this way, probably a socket specifically configured to accept and split your data format " without writing code.
Our hopes were that there was a forwarding agent binaries for execution on z/OS directly, or in USS of z/OS. Barring that, was attempting to get agent source and compile it to run in either. Without that, it means the creation of something, be it our own version of a forwarding agent, or some transfer agent to a forwarding agent.