managing performance and security with splunk on your ibm mainframe webinar
TRANSCRIPT
1
Managing Performance and Security with Splunk® on your IBM Mainframe
Ironstream® -- The Industry Leading Provider of Mainframe Data for Splunk Enterprise
Ed Hallock – Director of Product ManagementOctober 8, 2015
Agenda
2Syncsort Confidential and Proprietary - do not copy or distribute
Why Splunk + Mainframe Data + Syncsort?
Challenges with Getting Mainframe Data into Splunk
Introducing Ironstream®
Sample Ironstream Dashboards
What’s new in Ironstream 1.3
Summary and Q&A
Syncsort Confidential and Proprietary - do not copy or distribute
Splunk: The Industry-Leading Platform For Machine Data
Machine Data: Any Location, Type, Volume
Online Services
Web Services
ServersSecurity GPS
Location
StorageDesktops
NetworksPackaged
Applications
CustomApps
Messaging
TelecomsOnline
Shopping Cart
Web Clickstreams
Databases
Energy Meters
Call Detail Records
Smartphones and Devices
RFID
On-Premises
Private Cloud
Public Cloud
Platform Support (Apps / API / SDKs)
Enterprise Scalability
Universal Indexing
Answer Any Question
DeveloperPlatform
Report &analyze
Custom dashboards
Monitor & alert
Ad hoc search
Mainframe
3
Mainframes Still Host the Most Critical Applications
4Syncsort Confidential and Proprietary - do not copy or distribute
71%Fortune 500
30 Billion Bus. Transactions / day
23of Top 25 US Retailers
of World’s Top Insurers9Top World
Banks25
Syncsort Heritage
5
• Syncsort provides fast, secure, enterprise-grade software spanning “Big Iron to Big Data”
• 50% of all mainframes run Syncsort software
• Real-time MF Log data to Splunk - Ironstream
• DB2 transparency migration solutions
• Real-time network management and security software
• Fastest sort technology in the marketMost trusted 3rd party mainframe software
• Over 45 years of innovation:25+ issued & pending patents
• Large global customer base12,000+ deployments in 85 countries and
serving 87 of the Fortune 1001,500 mainframe customers
Our customers realize ROI and get the best customer service in the world, every day!
Key Partners
Syncsort Confidential and Proprietary - do not copy or distribute
Challenges with Getting Mainframe Data into Splunk®
6Syncsort Confidential and Proprietary - do not copy or distribute
• Integration• Data Conversion
EBCDIC to ASCII; Binary to readable• Complex mainframe data structures
e.g. SMF Data• Security
• Hosts mission critical sensitive data• Go beyond regulatory and compliance requirements• Need to move from passive or after the fact monitoring to active
“seek out information” state• Cost
• Processing on the mainframe costs CPU cycles (MIPS) – including data transmission (TCP, FTP, etc.)
• No interference with system throughput• Operational
• Correlating MF events to those from other sources• Log files migration complex• Tracking delta from log files not possible• Real time/near real time complex
Sample Mainframe Data Collected by Ironstream®
7Syncsort Confidential and Proprietary - do not copy or distribute
Security
Operational
Application Monitoring
Mainframe ApplicationRACF
Intrusion Detection
Related Mainframe DataSMF Type 80
SyslogD
Operator logs for DB2, CICS, IMS, etc
Syslog
DB2 Accounting RecordsCICS Accounting Records
WebSphereJob / Step Accounting Records
SMF Type 101SMF Type 110
Log4jSMF Type 30
Collect critical mainframe log data: SMF records, SYSLOGs, SyslogD, Log4j, mainframe files, and more in real timeTranslate, transform and prepare mainframe machine data for easier analysisSecurely forward into Splunk® Enterprise Splunk Enterprise Security™ and Splunk Cloud for real-time operational intelligence and visualizationScale to billions of SMF records and SYSLOGs per day with minimum impact to your mainframe
Get operational insights from Big Iron!
A Simple, Scalable, Efficient Approach!
Distributed Systems
Ironstream® Data Flow
9Syncsort Confidential and Proprietary - do not copy or distribute
Mainframe
Generic App
Log Dataset
• Syslog• DB2• CICS• MQ• …
• IMS• Log4j• SMF• User logs• …
Ironstream® Sample Dashboards
10Syncsort Confidential and Proprietary - do not copy or distribute
Syslog Dashboard: RACF Violations and Message Trends
Syncsort Confidential and Proprietary - do not copy or distribute 11
RACF Violations by type RACF Violations by user
Trend message volumes today vs. same time last week and 2 weeks ago
Syslog Dashboard: Batch Job Activity
Syncsort Confidential and Proprietary - do not copy or distribute 12
Batch JOB activity over time showing peak batch window
Job Monitor for SLA Tracking: SMF 30
Syncsort Confidential and Proprietary - do not copy or distribute 13
Track JOB execution against defined service levels and identify JOBS that are at risk of non-compliance with service level agreement target
Drill down to predecessor JOBS
Mainframe Security Dashboard
Syncsort Confidential and Proprietary - do not copy or distribute14
Invalid LOGON attempts Rate of Invalid LOGONs
Job Initiations Track Authentication Successes and Failures
DB2 Performance Monitoring
Syncsort Confidential and Proprietary - do not copy or distribute15
Logging Rate Uncommitted Records by Plan Lock State Escalations
Lock ContentionUnavailable
Resources
Syncsort Confidential and Proprietary - do not copy or distribute
CICS Transaction Monitoring
16
Transaction Rates CPU Usage by Transaction
Transaction Response Time Transaction Failures
What’s New in Ironstream® 1.3
17Syncsort Confidential and Proprietary - do not copy or distribute
• New release -- general availability announced on September 23rd
• New network security information provided via Zen technology– Designed to provide real-time, mainframe security and network
insights through Splunk Enterprise and Splunk App for Enterprise Security
• Enhanced SMF and log collection providing additional insight into IT operations and security
– Users can easily search, analyze and visualize data end-to-end to gain valuable operational information
– IT operational insight gives users the ability to find and fix problems faster
0 - IPL Header4 - Step Termination
14-15 - Data Set Activity16 - DFSORT Statistics17 - Scratch Data Set Status19 - Direct Access Volume30 - Common Address Workspace
37-39 - Netview40 - Dynamic DD41 - DIV Objects & VLF Statistics42 - DFSMS Statistics and Configuration50 - VTAM Tuning Statistics57 - JES2 Network SYSOUT Transmission
60-62 - VSAM64-66 - VSAM70-79 - RMF Processor Activity
80-81, 83 - Security Package (RACF)90 - System Status92 - File System Activity99 - SRM
100-102 - DB2110 (sub 1,2) - CICS Performance & Exception Data
113 - Hardware Capacity115-117 - WebSphere118-119 - TCP/IP
120 - WebSphere Application Server Activity208 - Syncsort SMF241 - DFSMShsm Statistics
Ironstream®: Continued Growth in Supported Data Sources
18Syncsort Confidential and Proprietary - do not copy or distribute
ExpectedGA 4Q14 1Q15 2Q15 2H15 Roadmap
SMF 30 SMF 14 SMF 0 SMF 4 SMF 37-39 SMF 5-9SMF 80 SMF 15 SMF 19 SMF 16-17 SMF 81 SMF 11
SMF 110 SMF 42 SMF 57 SMF 40-41 SMF 83 SMF 21-24Log4j 1 SMF 70 SMF 60-62 SMF 50 SMF 99 SMF 28SYSLOG SMF 100-102 SMF 64-66 SMF 90 ACF 2 SMF 82-83
SMF 120 SMF 71-79 SMF 92 Log4J 2 SMF 87-88Batch Files SMF 115-119 SMF 113 Network Data SMF 94
DB2 Triggers SMF 208 RMF III SMF 103SMF 241 SyslogD DB2 CDCSYSOUT User API Flat Files
Top Secret USS MQ Data
New Network Monitoring and Security with Ironstream® 1.3
19Syncsort Confidential and Proprietary - do not copy or distribute
Intrusion Detection– SyslogD
Alerts– IP Monitor– Enterprise Extender Monitor– FTP Control– OSA Monitor– Linux Monitor
Speed detection and triage of security events/attacksStreamline investigation of security incidentsReduce and prevent fraudMitigate the risk of data breachAvoid IP theftStreamline compliance activitiesAutomate routine tasksConsolidate security tools
Why It Matters with Splunk:
Get The 360-degree View of Your Entire IT Systems
20Syncsort Confidential and Proprietary - do not copy or distribute
Less Complexity– Easy to collect mainframe data and correlate with data from other platforms– Don’t need mainframe access or mainframe expertise in using mainframe tools
Clearer Security Information– Easier to identify unauthorized mainframe access or other security risks
Healthier IT Operations– Real-time alerts to identify problems in all key environments like CICS, DB2, IMS, MQ– View latency, transactions per second, exceptions and other valuable data
More Effective Problem-Resolution Management– Real-time views of mainframe SMF data to identify real or potential failures earlier– View related 'surrounding' information to support triage repair or prevention
Higher Operational Efficiency– Augment legacy silo monitors with enhanced event correlation across systems– Enable staff to resolve problems faster and “do more with less”
21
What Now?
Test drive Ironstream® for free now!syncsort.com/testdriveironstream
Request an Ironstream demo:syncsort.com/en/Products/Mainframe/Ironstream
More information on Ironstream:syncsort.com/ironstream
Contact us: [email protected]
Ironstream® Apps Are Now On Splunk App Store (SplunkBase)
22Syncsort Confidential and Proprietary - do not copy or distribute
https://splunkbase.splunk.com/
Search Syncsort
Q&A
23Syncsort Confidential and Proprietary - do not copy or distribute
24Syncsort Confidential and Proprietary - do not copy or distribute
To Watch This Webcast On-Demand, Please Visit: http://bit.ly/1P13YU2