Mainframe Customer Education Webcast: New Ironstream Facilities for Enhanced z/OS Analytics

Syncsort Mainframe Customer Education Webinar

New Ironstream® Facilities For Enhanced z/OS Analytics

2Q 2017

Today’s Presenters

Ed Wrazen Director, Mainframe Product Management is responsible for the product strategy & roadmap for Syncsort’s Mainframe products and solutions. With a career in Enterprise IT spanning 35 years, Ed has held roles in software development, database administration, product management, consulting and marketing in global businesses and enterprise technology companies. Ed has experience in Enterprise systems architectures, performance management, database and data management technologies and is a regular speaker at industry events worldwide.

2Syncsort Confidential and Proprietary - do not copy or distribute

Ed Hallock is a highly experienced Information Technology Professional with a broad experience base in software product development, support, product management, marketing, and business development. In his diverse career Ed has benefited from working for some of the largest independent software vendors, in a variety of roles, providing enterprise solutions to Global 1000 corporations. Ed has extensive experience in performance and availability management for systems and applications. He holds a bachelor’s degree in Computer Science from Montclair State University in Upper Montclair, New Jersey and has presented at numerous industry events as well as corporate related conferences and seminars.

Agenda

Introduction to Ironstream®

New Features:– Advanced Filtering for SMF data

– Data Loss Protection

Integration with Splunk’s IT Service Intelligence

Ironstream Sample Splunk Applications

Splunk: The Industry-Leading Platform For Machine Data

Syncsort Confidential and Proprietary - do not copy or distribute

Machine Data: Any Location, Type, Volume

Online

ServicesWeb

Services

ServersSecurity

GPS

Location

StorageDesktops

Networks

Packaged

Applications

Custom

AppsMessaging

TelecomsOnline

Shopping

Cart

Web

Clickstreams

Databases

Energy

Meters

Call Detail

Records

Smartphones

and Devices

RFID

On-

Premises

Private

Cloud

Public

Cloud

Platform Support (Apps / API / SDKs)

Enterprise Scalability

Universal Indexing

Answer Any Question

DeveloperPlatform

Report &analyze

Custom dashboards

Monitor & alert

Ad hoc search

Mainframe

4

Critical Mainframe Data Normalized and Streamed to Splunk with Ironstream®

Log4jFile

Load

SYSLOGSYSLOGD

logs

security

SMF

50+

types

RMF

Up to 50,000

values

DB2SYSOUT

Live/Stored

SPOOL Data

Alerts

Network

Components

Ironstream

API

Application Data

AssemblerC

COBOL

REXX

USS

Value of an End-to-End View, Inclusive of Mainframe

Extend What Splunk Does Already, to include critical z/OS systems:– 360ᵒ Degree View: Make the Splunk View of the Enterprise Complete via

Including Mainframe Data

– Same Splunk Dashboards, Bigger, More Complete Data Sets; Free Ironstream Splunk Apps and Modules

Security and Compliance/SIEM- Ensure Audits Passed

IT Operational Analytics/ITOA-Ensure Ops SLAs Met

IT Service Intelligence/ITSI-Ensure Services Health

Polling Question #1

What analytics platforms are you using today for z/OS IT operational intelligence:

Splunk

Hadoop

ELK (Elastic Stack)

Spark

Custom/Home Grown solution

None

7


Advanced Filtering for SMF Data

Why Filter SMF Data?

SMF volumes can be enormous – large CICS and DB2 installations can generate TBs of data daily

Transferring data that is not useful puts a strain on network and other system resources

Need to provide control over volume of SMF data processed and forwarded by Ironstream to Splunk

Need to eliminate data clutter by forwarding only those fields that are truly needed


SMF Filtering and WHERE Processing

Ability to select only desired fields within individual SMF records– INCLUDE statement in configuration file or via field selection in the Ironstream

Desktop GUI

New extension enables selection of fields based upon the value of field

– WHERE clause in configuration file


Basic WHERE Syntax

"SELECT":"SMFnnn"

"INCLUDE":"field_1,field_2,...,field_n" Optional Statement– If omitted, INCLUDE defaults to ALL

"WHERE":"search_condition AND/OR search_condition“– Any number of search conditions can be specified

– If multiple search conditions are given, each must be separated by a logical AND or OR operator

– Search_condition: Field_1 operator operand• Field_1 must be the name of a field from the SMF record

• The operator can be: EQ, NE, LT, LE, GE, GT

• Operands can be another field name, character strings, decimal values, hex values, date, time

• Wildcards supported for character strings


Examples

"DATATYPE":"SMF"

"SELECT":"SMF030"

"WHERE":"SMF30TME GT T'11:17:00.00' AND SMF30TME LT T'11:30:00.00'“

"DATATYPE":"SMF"

"SELECT":"SMF030"

"WHERE":"(SMF30JBN EQ ‘WWC*' AND (SMF30_TIME_ON_ZIIP GT T’00:00:01.00’ +

OR SMF30_TIME_ZIIP_ON_CP GT 0)) OR SMF30JBN EQ ‘CYB*'"



Data Loss Protection (DLP)

Why is DLP Needed?

To prevent loss of data forwarded by Ironstream to Splunk

– Early implementations of Splunk did not include any mechanism for ensuring that data forwarded by Ironstream was both received and successfully indexed by the Splunk platform

• If Splunk encountered an error prior to indexing the data it received from Ironstream, that data was lost even though Ironstream had successfully forwarded it

– Network failures preventing Ironstream from forwarding data for a long enough period would cause the in-storage data buffers to overflow resulting in data loss


New Feature: Data Loss Protection (DLP)

Minimizes data loss during times of network or other external failures.

Uses IBM’s Coupling Facility’s System Logger functions, and Splunk’sIndexer Acknowledgement feature.

– Splunk indexer acknowledgement feature allows Ironstream to detect when data it has forwarded has been successfully received and indexed by the Splunk platform.


New Feature: Data Loss Protection (DLP)

Minimizes data loss during times of network or other external failures.

Uses IBM’s Coupling Facility’s System Logger functions, and Splunk’sIndexer Acknowledgement feature.

– Splunk indexer acknowledgement feature allows Ironstream to detect when data it has forwarded has been successfully received and indexed by the Splunk platform.

Optional feature that must be enabled….– Must define and configure a log stream within a coupling facility and make

Ironstream configuration parameter changes.

– No modifications required to existing Ironstream configuration files for those customers not requiring DLP.

– More information is available in the Ironstream Configuration and Users Guide.


Ironstream SMF Processing without DLP

SMF Exits

Store data in DataStore

Extract from Data Store and normalize data

Buffers and send data

No mechanism to ensure Splunkhas indexed data received from Ironstream

Potential DataStore overflow on network or Splunk failure


Ironstream SMF Processing with DLP

SMF Exits

Store data in DataStore

Move function takes records from DS and stores in CF

Extracts from CF and normalize data

Buffers and sends data

ACK is received from Splunkbefore deleting CF records

CF data only deleted from there once a positive acknowledgement has been received from the Splunk indexer.

CF continues to collect and retain data during extended network or Splunk outages

Ironstream re-sends it once Splunk is active or network problems are resolved.


Polling Question #2

What analytics platforms are you considering or evaluating to use for z/OS IT operational intelligence:

Splunk

Hadoop

ELK (Elastic Stack)

Spark

Custom/Home Grown solution

Other

20


IT Service Intelligence (ITSI) Integation

What is Splunk IT Service Intelligence (ITSI)?

Splunk IT Service Intelligence delivers machine learning-powered analytics to simplify operations, prioritize issue resolution and provide visibility into critical services.


Delivers a central, unified view of critical IT services for powerful, data-driven monitoring

Maps critical services with KPIs to easily pinpoint what matters most

Uses machine learning to detect patterns, dynamically adapt thresholds, highlight anomalies and pinpoint areas of impact

Provides business and service context to prioritize incident investigation and triage

Supports drill downs to profile an entity and rapidly troubleshoot outages and service degradations

Ironstream ITSI IntegrationProviding z/OS Metrics & Analysis to IT Service Intelligence


3 Levels

Overall Mainframe Central Processor Complex

LPAR Logical Partition (virtual machine equivalent)

Software Components CICS online transaction processing

DB2 database, typically used with CICS

ITSI z/OS Data Sources provided by Ironstream


2 Data Sources- Resource Measurement Facility (RMF)- System Management Facilities (SMF)

Mainframe CPCCPU Load % RMF M8D2550Delay % RMF M8D0160I/O Rate % RMF M8D0E90Service Rate % RMF M8D1FB0Workflow % RMF M8D0550

LPARCPU Load % RMF M8D0460Delay % RMF M8D0160Free Memory % RMF M8D0380Free Storage % RMF M8D2A50Using % RMF M8D04A0Workflow % RMF M8D0550

CICS System & Individual TransactionsABENDs SMF 110Response Times SMF 110

DB2Deadlocks SMF 101, IFCID 3Exclusive Escalations SMF 101, IFCID 3Shared Escalations SMF 101, IFCID 3Lock Waits SMF 101, IFCID 3Timeouts SMF 101, IFCID 3

Ironstream Desktop (IDT)

Ironstream ITSI Integration


Mainframe

TCP/IPSSL or non-SSL

Data Forwarder DCE IDT

Ironstream DesktopData Collection Extension

Data ForwarderData Forwarder

DB2SYSOUT

Live/Stored

SPOOL Data

Alerts

Network

Components

Ironstream API

Application Data

Assembler

C

COBOL

REXX

USSLog4jFile

Load

z/OS

SYSLOGSYSLOGD

logs

security

SMF

50+

types

RMF

Up to 50,000

values

Enterprise

Security

IT Service

Intelligence SPLUNK

Ironstream ITSI IntegrationService Analyzer

26

KPIs provided for

mainframe systems in

Service Analyzer – CEC (Central

Electronic Complex),

i.e. “the box”

– LPARs (logical

partitions)

– Critical services

Glass Tables for

visualization

Ironstream Integration with ITSIGlass Table with 3 Level Overview

27

Critical services

CEC (Central

Electronic Complex)

LPARs (logical

partitions)

Ironstream Integration with ITSIGlass Table for Online Banking Services

28

Ironstream Integration with ITSIDB2 Deep Dive

29

Ironstream Integration with ITSICICS Details

30

Polling Question #3

What Security Information and Event Management (SIEM) platform is in use within your Enterprise:

IBM zSecure/QRadar

Correlog

Splunk Enterprise Security

HP Arcsight

Logrythm

Other



Ironstream Splunkbase Apps

What are apps and how are they used?

Sample dashboards that utilize specific data sources to demonstrate the value of Ironstream

Downloaded from splunkbase and installed into the Splunk Enterprise environment for use with Ironstream supplied data

– 3-step simple process for a Splunk admin

1. Upload/install the app

2. Ensure an Ironstream index is defined to Splunk

3. Define the TCP/IP connection to Splunk for the Ironstream datasource

Note: Splunk admin has the ability to modify queries and reports contained within each dashboard to meet their individual requirements


Search on Ironstream or Syncsort in splunk base to see our apps


Ironstream Applications on splunkbase

Syslog– RACF violations and message trends

CICS Region Monitor– CICS Region Health Check

– CICS Region transaction rates, response times, CPU usage, & failures

MQ Monitor– Queue depths and response time

– Message Get/Put rates and CPU use

– Ability to filter by connection name and queue name


Ironstream Applications on splunkbase

System Performance Monitor– CEC MSU capacity alongside the 4-hour rolling average figures (4HRA) for each

LPAR

– z/OS system performance data including:

• CPU utilization, memory and common storage utilization, Paging rates

Dataset Analyzer– Critical datasets to be monitored are defined via a .CSV file in Splunk


Select an app and download Product Documentation from the Details Tab


Syslog App: Benefits

View RACF violations by type and user– Understand invalid logon attempts

– Unauthorized attempts to access datasets

Look at message trends over time to determine potential security threats

View messages by subsystem


Syslog App: RACF Violations and Message Trends

Syncsort Confidential and Proprietary - do not copy or distribute 39

RACF Violations by type RACF Violations by user

Trend message volumes today vs. same time last week and 2 weeks ago

CICS App: Benefits

Monitor CICS regions and transactions supporting critical business services

Understand transaction rates, response times, and resource utilization to determine if business services are being met or impacted

Identify transaction failures that are impacting business services


CICS Region Health Check

Syncsort Confidential and Proprietary - do not copy or distribute 41

Transaction Response Time Transaction Rates

Dispatch Time

MQ App: Benefits

Monitor MQ connections and queues supporting critical business services

Understand message rates, response times, and resource utilization to determine if business services are being met or impacted


MQ Monitor


Queue Response Time by Connection

GET and PUT CPU Time by Connection

System Performance App: Benefits

Monitor all critical resources for a z/OS LPAR to ensure business services are not impacted

Determine if specialty processors(zIPP) are being used to reduce general processor utilization

Monitor the 4-hour rolling average for MSUs by LPAR


System Performance Monitor


4HRA by LPAR CEC MSUs

CPU usage by processor type

Dataset Analyzer App: Benefits

Define and monitor access to critical datasets

Determine potential security threats based on unauthorized access attempts

Ensure only authorized users are accessing critical datasets

Understand when dataset access conflicts could be impacting overall application performance


Dataset Analyzer App


Access by type for each critical dataset

Summary: Value Today for Enterprises with a z/OS Mainframe

Syncsort Confidential and Proprietary - do not copy or distribute

Less ComplexityCollect mainframe data; correlate with data from other platforms; no mainframe expertise required

Clearer Security InformationIdentify unauthorized mainframe access, other security risks; prepares and visualizes key data for compliance audits

Healthier IT OperationsReal-time alerts identify problems in all key environments View latency, transactions per second, exceptions, etc.

Effective Problem-Resolution ManagementReal-time views to identify real or potential failures earlier; view related 'surrounding' information to support triage repair or prevention

Higher Operational EfficiencyEnhanced event correlation across systems; Staff resolves problems faster; “do more with less”

Eliminate Your Mainframe “Blind-Spot”Splunk + Ironstream = Your 360ᵒ Enterprise View

Industry Leader in Mainframe Software Products

What Now?

50

Get Ironstream® for SYSLOG for free

VISIT: HTTP://WWW.SYNCSORT.COM/EN/PRODUCTS/MAINFRAME/IRONSTREAM

CONTACT: [email protected]

http://www.syncsort.com/en/TestDrive/Ironstream-Starter-Edition

http://www.syncsort.com/en/Products/Mainframe/Ironstream

mailto:[email protected]

http://www.syncsort.com/en/TestDrive/Ironstream-Starter-Edition

Thank You.Questions?

Mainframe Customer Education Webcast: New Ironstream Facilities for Enhanced z/OS Analytics

Technology

Transcript of Mainframe Customer Education Webcast: New Ironstream Facilities for Enhanced z/OS Analytics