Mainframe Customer Education Webcast: New Ironstream Facilities for Enhanced z/OS Analytics

Syncsort Mainframe Customer Education Webinar
New Ironstream® Facilities For Enhanced z/OS
Analytics
2Q 2017

Today’s Presenters
Ed Wrazen Director, Mainframe Product Management is responsible for
the product strategy & roadmap for Syncsort’s Mainframe products and
solutions. With a career in Enterprise IT spanning 35 years, Ed has held
roles in software development, database administration, product
management, consulting and marketing in global businesses and
enterprise technology companies. Ed has experience in Enterprise
systems architectures, performance management, database and data
management technologies and is a regular speaker at industry events
worldwide.
2Syncsort Confidential and Proprietary - do not copy or distribute
Ed Hallock is a highly experienced Information Technology Professional
with a broad experience base in software product development, support,
product management, marketing, and business development. In his
diverse career Ed has benefited from working for some of the largest
independent software vendors, in a variety of roles, providing enterprise
solutions to Global 1000 corporations. Ed has extensive experience in
performance and availability management for systems and applications.
He holds a bachelor’s degree in Computer Science from Montclair State
University in Upper Montclair, New Jersey and has presented at numerous
industry events as well as corporate related conferences and seminars.

Agenda
Introduction to Ironstream®
New Features:
– Advanced Filtering for SMF data
– Data Loss Protection
Integration with Splunk’s IT Service Intelligence
Ironstream Sample Splunk Applications

Splunk: The Industry-Leading Platform For Machine Data
Syncsort Confidential and Proprietary - do not copy or distribute
Machine Data: Any Location, Type, Volume
Online
Services
Web
Services
Servers
Security GPS
Location
Storage
Desktops
Networks
Packaged
Applications
Custom
Apps
Messaging
Telecoms
Online
Shopping
Cart
Web
Clickstreams
Databases
Energy
Meters
Call Detail
Records
Smartphones
and Devices
RFID
On-
Premises
Private
Cloud
Public
Cloud
Platform Support (Apps / API / SDKs)
Enterprise Scalability
Universal Indexing
Answer Any Question
Developer
Platform
Report &
analyze
Custom
dashboards
Monitor
& alert
Ad hoc
search
Mainframe
4

Critical Mainframe Data 
Normalized and Streamed to Splunk with Ironstream®
Log4jFile
Load
SYSLOG
SYSLOGD
logs
security
SMF
50+
types
RMF
Up to 50,000
values
DB2SYSOUT
Live/Stored
SPOOL Data
Alerts
Network
Components
Ironstream
API
Application Data
Assembler
C
COBOL
REXX
USS

Value of an End-to-End View, Inclusive of Mainframe
Extend What Splunk Does Already, to include critical z/OS systems:
– 360ᵒ Degree View: Make the Splunk View of the Enterprise Complete via
Including Mainframe Data
– Same Splunk Dashboards, Bigger, More Complete Data Sets; Free Ironstream
Splunk Apps and Modules
Security and Compliance/SIEM
- Ensure Audits Passed
IT Operational Analytics/ITOA
-Ensure Ops SLAs Met
IT Service Intelligence/ITSI
-Ensure Services Health

Polling Question #1
What analytics platforms are you using today for z/OS IT operational
intelligence:
 Splunk
 Hadoop
 ELK (Elastic Stack)
 Spark
 Custom/Home Grown solution
 None
7

Advanced Filtering for SMF Data

Why Filter SMF Data?
SMF volumes can be enormous – large CICS and DB2 installations can
generate TBs of data daily
Transferring data that is not useful puts a strain on network and other
system resources
Need to provide control over volume of SMF data processed and
forwarded by Ironstream to Splunk
Need to eliminate data clutter by forwarding only those fields that are
truly needed

SMF Filtering and WHERE Processing
Ability to select only desired fields within individual SMF records
– INCLUDE statement in configuration file or via field selection in the Ironstream
Desktop GUI
New extension enables selection of fields based upon the value of
field
– WHERE clause in configuration file

Basic WHERE Syntax
"SELECT":"SMFnnn"
"INCLUDE":"field_1,field_2,...,field_n" Optional Statement
– If omitted, INCLUDE defaults to ALL
"WHERE":"search_condition AND/OR search_condition“
– Any number of search conditions can be specified
– If multiple search conditions are given, each must be separated by a
logical AND or OR operator
– Search_condition: Field_1 operator operand
• Field_1 must be the name of a field from the SMF record
• The operator can be: EQ, NE, LT, LE, GE, GT
• Operands can be another field name, character strings, decimal values, hex
values, date, time
• Wildcards supported for character strings

Examples
"DATATYPE":"SMF"
"SELECT":"SMF030"
"WHERE":"SMF30TME GT T'11:17:00.00' AND SMF30TME LT T'11:30:00.00'“
"DATATYPE":"SMF"
"SELECT":"SMF030"
"WHERE":"(SMF30JBN EQ ‘WWC*' AND (SMF30_TIME_ON_ZIIP GT T’00:00:01.00’ +
OR SMF30_TIME_ZIIP_ON_CP GT 0)) OR SMF30JBN EQ ‘CYB*'"

Data Loss Protection (DLP)

Why is DLP Needed?
To prevent loss of data forwarded by Ironstream to Splunk
– Early implementations of Splunk did not include any mechanism for ensuring
that data forwarded by Ironstream was both received and successfully indexed
by the Splunk platform
• If Splunk encountered an error prior to indexing the data it received from
Ironstream, that data was lost even though Ironstream had successfully forwarded
it
– Network failures preventing Ironstream from forwarding data for a long
enough period would cause the in-storage data buffers to overflow resulting in
data loss

New Feature: Data Loss Protection (DLP)
Minimizes data loss during times of network or other external failures.
Uses IBM’s Coupling Facility’s System Logger functions, and Splunk’s
Indexer Acknowledgement feature.
– Splunk indexer acknowledgement feature allows Ironstream to detect when
data it has forwarded has been successfully received and indexed by the
Splunk platform.

New Feature: Data Loss Protection (DLP)
Minimizes data loss during times of network or other external failures.
Uses IBM’s Coupling Facility’s System Logger functions, and Splunk’s
Indexer Acknowledgement feature.
– Splunk indexer acknowledgement feature allows Ironstream to detect when
data it has forwarded has been successfully received and indexed by the
Splunk platform.
Optional feature that must be enabled….
– Must define and configure a log stream within a coupling facility and make
Ironstream configuration parameter changes.
– No modifications required to existing Ironstream configuration files for those
customers not requiring DLP.
– More information is available in the Ironstream Configuration and Users Guide.

Ironstream SMF Processing without DLP
SMF Exits
Store data in DataStore
Extract from Data Store
and normalize data
Buffers and send data
No mechanism to ensure Splunk
has indexed data received from
Ironstream
Potential DataStore overflow on
network or Splunk failure

Ironstream SMF Processing with DLP
SMF Exits
Store data in DataStore
Move function takes records
from DS and stores in CF
Extracts from CF and
normalize data
Buffers and sends data
ACK is received from Splunk
before deleting CF records
CF data only deleted from there
once a positive acknowledgement
has been received from the
Splunk indexer.
CF continues to collect and retain
data during extended network or
Splunk outages
Ironstream re-sends it once
Splunk is active or network
problems are resolved.

Polling Question #2
What analytics platforms are you considering or evaluating to use for
z/OS IT operational intelligence:
 Splunk
 Hadoop
 ELK (Elastic Stack)
 Spark
 Custom/Home Grown solution
 Other
20

IT Service Intelligence (ITSI)
Integation

What is Splunk IT Service Intelligence (ITSI)?
Splunk IT Service Intelligence delivers
machine learning-powered analytics to
simplify operations, prioritize issue resolution
and provide visibility into critical services.
 Delivers a central, unified view of
critical IT services for powerful, data-
driven monitoring
 Maps critical services with KPIs to
easily pinpoint what matters most
 Uses machine learning to detect
patterns, dynamically adapt
thresholds, highlight anomalies and
pinpoint areas of impact
 Provides business and service
context to prioritize incident
investigation and triage
 Supports drill downs to profile an
entity and rapidly troubleshoot
outages and service degradations

Ironstream ITSI Integration
Providing z/OS Metrics & Analysis to IT Service Intelligence
3 Levels
Overall Mainframe Central Processor Complex
LPAR Logical Partition (virtual machine equivalent)
Software Components
 CICS online transaction processing
 DB2 database, typically used with CICS

ITSI z/OS Data Sources provided by Ironstream
2 Data Sources
- Resource Measurement Facility (RMF)
- System Management Facilities (SMF)
Mainframe CPC
CPU Load % RMF M8D2550
Delay % RMF M8D0160
I/O Rate % RMF M8D0E90
Service Rate % RMF M8D1FB0
Workflow % RMF M8D0550
LPAR
CPU Load % RMF M8D0460
Delay % RMF M8D0160
Free Memory % RMF M8D0380
Free Storage % RMF M8D2A50
Using % RMF M8D04A0
Workflow % RMF M8D0550
CICS System & Individual Transactions
ABENDs SMF 110
Response Times SMF 110
DB2
Deadlocks SMF 101, IFCID 3
Exclusive Escalations SMF 101, IFCID 3
Shared Escalations SMF 101, IFCID 3
Lock Waits SMF 101, IFCID 3
Timeouts SMF 101, IFCID 3
Ironstream Desktop (IDT)

Mainframe
TCP/IP
SSL or non-SSL
Data Forwarder DCE IDT
Ironstream DesktopData Collection Extension
Data ForwarderData Forwarder
DB2SYSOUT
Live/Stored
SPOOL Data
Alerts
Network
Components
Ironstream API
Application Data
Assembler
C
COBOL
REXX
USSLog4jFile
Load
z/OS
SYSLOG
SYSLOGD
logs
security
SMF
50+
types
RMF
Up to 50,000
values
Enterprise
Security
IT Service
Intelligence SPLUNK

Service Analyzer
26
KPIs provided for
mainframe systems in
Service Analyzer
– CEC (Central
Electronic Complex),
i.e. “the box”
– LPARs (logical
partitions)
– Critical services
Glass Tables for
visualization

Ironstream Integration with ITSI
Glass Table with 3 Level Overview
27
Critical services
CEC (Central
Electronic Complex)
LPARs (logical
partitions)

Glass Table for Online Banking Services
28

DB2 Deep Dive
29

CICS Details
30

Polling Question #3
What Security Information and Event Management (SIEM) platform is in
use within your Enterprise:
 IBM zSecure/QRadar
 Correlog
 Splunk Enterprise Security
 HP Arcsight
 Logrythm
 Other

Ironstream Splunkbase Apps

What are apps and how are they used?
Sample dashboards that utilize specific data sources to demonstrate
the value of Ironstream
Downloaded from splunkbase and installed into the Splunk Enterprise
environment for use with Ironstream supplied data
– 3-step simple process for a Splunk admin
1. Upload/install the app
2. Ensure an Ironstream index is defined to Splunk
3. Define the TCP/IP connection to Splunk for the Ironstream datasource
Note: Splunk admin has the ability to modify queries and reports
contained within each dashboard to meet their individual
requirements

Search on Ironstream or Syncsort in splunk base to see our apps

Ironstream Applications on splunkbase
Syslog
– RACF violations and message trends
CICS Region Monitor
– CICS Region Health Check
– CICS Region transaction rates, response times, CPU usage, & failures
MQ Monitor
– Queue depths and response time
– Message Get/Put rates and CPU use
– Ability to filter by connection name and queue name

Ironstream Applications on splunkbase
System Performance Monitor
– CEC MSU capacity alongside the 4-hour rolling average figures (4HRA) for each
LPAR
– z/OS system performance data including:
• CPU utilization, memory and common storage utilization, Paging rates
Dataset Analyzer
– Critical datasets to be monitored are defined via a .CSV file in Splunk

Select an app and download Product Documentation from the Details Tab

Syslog App: Benefits
View RACF violations by type and user
– Understand invalid logon attempts
– Unauthorized attempts to access datasets
Look at message trends over time to determine potential security
threats
View messages by subsystem

Syslog App: RACF Violations and Message Trends
Syncsort Confidential and Proprietary - do not copy or distribute 39
RACF Violations by type RACF Violations by user
Trend message volumes today vs. same time last week and 2 weeks ago

CICS App: Benefits
Monitor CICS regions and transactions supporting critical business
services
Understand transaction rates, response times, and resource utilization
to determine if business services are being met or impacted
Identify transaction failures that are impacting business services

CICS Region Health Check
Syncsort Confidential and Proprietary - do not copy or distribute 41
Transaction Response Time Transaction Rates
Dispatch Time

MQ App: Benefits
Monitor MQ connections and queues supporting critical business
services
Understand message rates, response times, and resource utilization to
determine if business services are being met or impacted

MQ Monitor
Queue Response Time by Connection
GET and PUT CPU Time by Connection

System Performance App: Benefits
Monitor all critical resources for a z/OS LPAR to ensure business
services are not impacted
Determine if specialty processors(zIPP) are being used to reduce
general processor utilization
Monitor the 4-hour rolling average for MSUs by LPAR

System Performance Monitor
4HRA by LPAR CEC MSUs
CPU usage by processor type

Dataset Analyzer App: Benefits
Define and monitor access to critical datasets
Determine potential security threats based on unauthorized access
attempts
Ensure only authorized users are accessing critical datasets
Understand when dataset access conflicts could be impacting overall
application performance

Dataset Analyzer App
Access by type for each critical dataset

Summary: Value Today for Enterprises with a z/OS Mainframe
Syncsort Confidential and Proprietary - do not copy or distribute
Less Complexity
Collect mainframe data; correlate
with data from other platforms; no
mainframe expertise required
Clearer Security Information
Identify unauthorized mainframe
access, other security risks; prepares
and visualizes key data for
compliance audits
Healthier IT Operations
Real-time alerts identify problems in
all key environments View latency,
transactions per second, exceptions,
etc.
Effective Problem-Resolution
Management
Real-time views to identify real or
potential failures earlier; view related
'surrounding' information to support
triage repair or prevention
Higher Operational Efficiency
Enhanced event correlation across
systems; Staff resolves problems faster;
“do more with less”
Eliminate Your Mainframe
“Blind-Spot”
Splunk + Ironstream = Your 360ᵒ
Enterprise View

Industry Leader in Mainframe
Software Products

What Now?
50
Get Ironstream® for SYSLOG for free
VISIT:
HTTP://WWW.SYNCSORT.COM/EN/PRODUCTS/MAINFRAME/IRONSTREAM
CONTACT:
INFO@SYNCSORT.COM
http://www.syncsort.com/en/TestDrive/Ironstream-Starter-Edition

Mainframe Customer Education Webcast: New Ironstream Facilities for Enhanced z/OS Analytics

Empfohlen

Empfohlen

Weitere ähnliche Inhalte

Was ist angesagt?

Was ist angesagt? (20)

Andere mochten auch

Andere mochten auch (20)

Ähnlich wie Mainframe Customer Education Webcast: New Ironstream Facilities for Enhanced z/OS Analytics

Ähnlich wie Mainframe Customer Education Webcast: New Ironstream Facilities for Enhanced z/OS Analytics (20)

Mehr von Precisely

Mehr von Precisely (20)

Kürzlich hochgeladen

Kürzlich hochgeladen (20)

Mainframe Customer Education Webcast: New Ironstream Facilities for Enhanced z/OS Analytics