Big Data Analytics For Real-Time Operational Intelligence With Your z/OS Data

Big Data Analytics for Real-time
Operational Intelligence with Your

z/OS Data
Splunking Your z/OS Mainframe
Ed Hallock
Director, Product Management
1
Housekeeping
Webcast Audio:
Todays webcast audio is streamed through your computer speakers.
If you need technical assistance with the web interface or audio, please reach out
to us using the chat window.
Questions Welcome:
Submit your questions at any time during the presentation using the chat window.
We will answer them during our Q&A session following the presentations.
Recording and Slides:
This webcast is being recorded. You will receive an email following the webcast
with a link to download both the recording and the slides.
2016 Syncsort Incorporated

Agenda
Big Iron to Big Data Analytics Challenge
Splunking Your Mainframe Data
Introducing Ironstream
Ironstream for z/OS and Enterprise Security
Ironstream for IT Operations Analytics
Ironstream for IT Service Intelligence
Ironstream apps on Splunkbase and the Ironstream Starter Edition
Q&A
3
Syncsort Confidential and Proprietary - do not copy or distribute
Big Iron to Big Data Analytics Challenge
So many data sources

SMF, Syslog, Log4j web and application logs, RMF, RACF,
USS files and standard datasets
Volume of data
Millions of SMF records generated daily
Format of data
Complex data structures (SMF) with headers, product
sections, data sections, variable length and self-describing
EBCDIC not recognized outside of the mainframe world
Binary flags and fields
Difficult to get the information in a timely manner
Not real-time, typically have to wait overnight for an
offload
4
What Has Been Done in the Past?
Performance Monitors
Proactively analyze and manage z/OS
operating systems, databases other z/OS sub-
systems for optimal performance
Very good at detecting bottlenecks and other
potential performance problems in z/OS, CICS,
IMS, DB2, MQ, Storage, etc.
Most include historical reporting and trending
facilities but that is typically limited to a
subset of the data that the monitor collects
Capacity Planning Tools
Next day, next week, next month reporting of
offloaded SMF data
Event Management Systems
Alert management
5
Challenges with these Legacy Technologies
Tend to have fixed displays with little room for

customization on how an end-user can see
data provided
The interface(s) to these products have
traditionally been closed and proprietary
Limited view into security issues and threats
Limited ability to monitor business services and
provide service-level intelligence
They typically have a silo approach: a monitor for DB2, another monitor for CICS,
etc. without any real correlation between the different pieces
Require Subject Matter Experts (SMEs) with in depth technical knowledge of
z/OS and its sub-systems in order to effectively use the products
Most have evolved into very complex and resource intensive solutions in an
attempt to cover ever aspect of the systems they monitor
6
What is Needed?
High performance, low-cost, platform for collecting critical system

information in real-time
Normalization of the z/OS data so it can be used off platform
analytics engines
Full analytics, visualization, and customization with no limitations
on what can be viewed
Ability to easily combine information from different data sources
and systems
Address the SME challenge: use by network managers, security
analysts, application analysts, enterprise architects without
requiring mainframe access or expertise
7
Splunking Your Mainframe Data into
The Industry-Leading Platform For Machine Data
Machine Data: Any Location, Type, Volume Answer Any Question
Online Ad hoc Monitor Report & Custom Developer

Services
On- Web search & alert analyze dashboards Platform
Premises Services
Security GPS
Servers
Location
Packaged
Networks Applications
Desktops
Private Storage
Messaging Custom
Cloud Apps
RFID
Telecoms Mainframe
Online Energy
Shopping Meters Platform Support (Apps / API / SDKs)
Cart Databases
Web
Call Detail Enterprise Scalability
Records
Public Clickstreams
Cloud Smartphones Universal Indexing
and Devices
8
Critical Mainframe Data
Normalized and Streamed to Splunk with Ironstream
Ironstream
SYSOUT DB2 USS Alerts
API
Assembler
C
COBOL
REXX
Live/Stored Network Application Data

SPOOL Data Components
SYSLOG SMF RMF File Log4j
SYSLOGD Load
logs
security
50+
Up to 50,000
types
values
Ironstream: Architectural Overview
Enterprise Security
TCP/IP
(SSL) ACK
Mainframe
z/OS
DataForwarder
Data Forwarder DCE IDT
Data Forwarder
Data Collection Extension Ironstream Desktop
SYSLOG SMF RMF File Log4j SYSOUT DB2 USS Alerts Ironstream API
SYSLOGD Load
Assembler
logs C
COBOL
security REXX
50+ Up to 50,000 Live/Stored Network Application Data

types values SPOOL Data Components
10
Primary Use Cases for z/OS Log Data
Mainframe Application Related Mainframe Logs

IT Operational Operator logs for DB2, Syslog
Analytics(ITOA) CICS, IMS, etc SMF
DB2 Accounting Records SMF Type 101

IT Service CICS Accounting Records SMF Type 110
Intelligence(ITSI)
WebSphere Log4j
Job / Step Accounting Records SMF Type 30
Security & RACF SMF Type 80

Compliance Intrusion Detection SyslogD
11
IRONSTREAM Z/OS SECURITY &
SPLUNK ENTERPRISE SECURITY
12
Security Issues You Can Monitor with Ironstream
Intrusion Detection
TSO logon tracking
TSO account change activity
FTP authentications and file transfers
IP traffic analysis
Network events
13
Ironstream z/OS Security App
All data sources collected by Ironstream are

exposed in an application focused on z/OS
security only
This app shows z/OS mainframe security
data and is NOT an enterprise-wide
integrated view
14
z/OS Security Dashboard
Intrusion Detection showing Port Scans and

Denial of Service Attacks
TCP/IP Network Traffic
15
z/OS Security Dashboard
TSO Account Activity

TSO Lockouts
Job Initiations
FTP Transfer Activity
FTP Session Activity
16
Ironstream z/OS Security & Splunk Enterprise Security App
All collected data sources can also be mapped to Splunk CIM for
Enterprise Security and automatically exposed in ES dashboards
along with security information from other platforms
Requires the Ironstream TA for Splunk Enterprise Security
to be installed
Provides an enterprise-wide, integrated view of security
across all platforms via ES dashboards provided by Splunk
17
Sample Intrusion Center Dashboard With Splunk Enterprise Security
Now shows z/OS intrusions

and anomalies along with
events from other platforms
18
Sample Security Posture Dashboard With Splunk Enterprise Security
Now shows z/OS intrusions

and anomalies along with
events from other platforms
19
IT OPERATIONS ANALYTICS
20
What Can You with IT Operations Analytics?
View RACF violations by type and user

Look at message trends over time to determine potential security threats
Monitor completion of critical batch JOBs
Monitor CICS regions and transactions supporting critical business services
Monitor DB2 database lock contention
Monitor MQ connections and queues
Define and monitor access to critical datasets
Monitor all critical resources for a z/OS LPAR
And much more!!!
21
Operational Analytics: RACF Violations and Message Trends
Data Source: SYSLOG
RACF Violations by type RACF Violations by user
Trend message volumes today vs. same time last week and 2 weeks ago
22
Operational Analytics: Job Monitor for SLA Tracking
Data Source: SMF Type 30
Track JOB execution against

defined service levels and identify
JOBS that are at risk of non-
compliance with service level
agreement target
Drill down to predecessor

JOBS
23
Application Monitoring: DB2 Performance
Data Source: SMF Type 100, 101, 102
Logging Rate Uncommitted Lock State Escalations
Records by Plan
Lock Contention
Unavailable
Resources
24
Application Monitoring: CICS Transaction Analysis
Data Source: SMF Type 110
Transaction Rates CPU Usage by Transaction
Transaction Response Time Transaction Failures
25
IT SERVICE INTELLIGENCE (ITSI)
Why is IT Service Intelligence Critical?
Need to understand what critical IT services are dependent upon which IT

resources and components
What are the Key Performance Indicators (KPIs) for IT components
comprising an IT service
How is the performance of an IT resource or component affecting a critical
IT service
27
Ironstream Integration with Splunk ITSI
KPIs provided for

mainframe systems in
Service Analyzer
CEC (Central
Electronic Complex),
i.e. the box
LPARs (logical
partitions)
Critical services
Glass Tables for
visualization
Ironstream ITSI Glass Table for Mainframe
Ironstream ITSI Glass Table for Online Banking Service
Value Today for Organizations with a z/OS Mainframe
Less Complexity More Effective Problem-Resolution Management

Collect mainframe data; correlate with data from other Real-time views to identify real or potential failures earlier
platforms; no mainframe expertise required View related 'surrounding' information to support triage repair
or prevention
Clearer Security Information
Identify unauthorized mainframe access, other security Higher Operational Efficiency
risks Enhanced event correlation across systems
Staff resolves problems faster; can do more with less
Healthier IT Operations
Real-time alerts identify problems in all key
environments View latency, transactions per second, Eliminate Your Mainframe Blind-Spot
exceptions, etc. Splunk + Syncsort Ironstream for Your 360 Enterprise View
31
Ironstream Apps Are Now On Splunk App Store (splunkbase)
https://splunkbase.splunk.com/
Search Syncsort
32
Ironstream Applications on splunkbase
Syslog
RACF violations and message trends
CICS Region Monitor
CICS Region Health Check
CICS Region transaction rates, response times, CPU usage, & failures
MQ Monitor
Queue depths and response time
Message Get/Put rates and CPU use
Ability to filter by connection name and queue name
Additional information for each application is available via

download on splunkbase, as well as via Product Documentation
under Resources at www.Syncsort.com
33
Ironstream Applications on splunkbase
System Performance Monitor

CEC MSU capacity alongside the 4-hour rolling average figures (4HRA)
for each LPAR
z/OS system performance data including:
CPU utilization, memory and common storage utilization, Paging rates
Dataset Analyzer
Critical datasets to be monitored are defined via a .CSV file in Splunk
Additional information for each application is available via

download on splunkbase, as well as via Product Documentation
under Resources at www.Syncsort.com
34
Get Ironstream for SYSLOG for free
http://www.syncsort.com/en/TestDrive/Ironstream-Starter-Edition
35
THANK YOU!
36

Big Data Analytics For Real-Time Operational Intelligence With Your z/OS Data

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Big Data Analytics For Real-Time Operational Intelligence With Your z/OS Data

Uploaded by

Copyright:

Available Formats

Big Data Analytics for Real-time

Operational Intelligence with Your

2016 Syncsort Incorporated

Big Iron to Big Data Analytics Challenge

Splunking Your Mainframe Data

Ironstream apps on Splunkbase and the Ironstream Starter Edition

So many data sources

Tend to have fixed displays with little room for

High performance, low-cost, platform for collecting critical system

Machine Data: Any Location, Type, Volume Answer Any Question

Online Ad hoc Monitor Report & Custom Developer

Live/Stored Network Application Data

50+ Up to 50,000 Live/Stored Network Application Data

Mainframe Application Related Mainframe Logs

DB2 Accounting Records SMF Type 101

Security & RACF SMF Type 80

All data sources collected by Ironstream are

Intrusion Detection showing Port Scans and

TCP/IP Network Traffic

TSO Account Activity

Now shows z/OS intrusions

Now shows z/OS intrusions

View RACF violations by type and user

And much more!!!

RACF Violations by type RACF Violations by user

Track JOB execution against

Drill down to predecessor

Transaction Response Time Transaction Failures

Need to understand what critical IT services are dependent upon which IT

KPIs provided for

Less Complexity More Effective Problem-Resolution Management

Additional information for each application is available via

System Performance Monitor

Additional information for each application is available via

You might also like