Government Agencies Using Splunk: Is Your Critical Data Missing?
0 likes154 views
The document discusses the integration of Splunk with mainframe and IBM i servers through Ironstream, allowing organizations to collect and analyze crucial operational log data for better monitoring and compliance. It highlights the complexities and challenges of traditional data sources, emphasizing the importance of real-time analytics for security and operational efficiency. A case study illustrates how a federal agency improved its security auditing capabilities and compliance by acquiring complete visibility over mainframe data using Ironstream.
Government Agencies Using Splunk: Is Your Critical Data Missing?
- 1. Government Agencies Using Splunk: Is Your Critical Data Missing? Bill Hammond, Product Marketing John de Saint Phalle, Sales Engineering
- 2. Mainframes & IBM i servers adapt and deliver increasing value with each new technology wave 91%of executives predict long-term viability of the mainframe as the platform continues evolving to meet digital business demands >100kcompanies today use IBM i technology to run significant workloads & power critical business applications BMC 12th Annual Mainframe Research Results – Nov. 2017 Syncsort 2018 State of Resilience: The New IT Landscape for Executives: Threats, Opportunities and Best Practices.” Jan. 2018 that’s 2,500,000,000 -- business transactions per mainframe per day 2000+ organizations overall 2.5 B
- 3. Market Landscape and Key Concepts: Data Analytics Challenges So many data sources Mainframe: Systems Management Facility (SMF), Syslog, Log4j web and application logs, RMF, RACF, USS files and standard datasets IBM i: QAUD Journal, QHIST, Message Queues, Database Journals Format of data Mainframe: • Complex data structures (SMF) with headers, product sections, data sections, variable length and self- describing • EBCDIC not recognized outside of the mainframe world • Binary flags and fields IBM i: • Complex data structures with unique journal entry types, headers, product sections, data sections, variable length and self-describing • IBM i journals are held in DB2 • Performance Collection Services • IBM i information needs to be converted to workable formats such as JSON, Syslog, CEF etc. Volume of data Millions of log records generated daily • 9.7TB Average Daily Mainframe Log Data Difficulty to get the information in a timely manner • Not real-time, typically have to wait overnight for an offload • Typical daily FTP upload/downloads can’t get granular
- 4. Ironstream
- 5. Ironstream = One Product
- 6. Ironstream Solutions Application/System Monitoring • Monitor operational status of enterprise IT infrastructure • Make better decisions to take control of the IT infrastructure • Monitor Resource utilization and availability • Problem Detection & Isolation • Ensure SLAs are met • Reduce MTTI, MTTR • System Health Monitoring with Splunk IT Service Intelligence Security and Compliance • Detect and prevent security threats • Privileged activity • Ensure compliance • Ensure audits pass • Enterprise Security Monitoring with Splunk ES
- 7. • High performance, low-cost, platform for collecting critical system information in real-time • Normalization of the z/OS and IBM i data so it can be used by off platform analytics engines • Full analytics, visualization, and customization with no limitations on what can be viewed • Ability to easily combine information from different data sources and systems • Address the SME challenge: use by network managers, security analysts, application analysts, enterprise architects without requiring mainframe access or expertise What does Ironstream® deliver?
- 8. Syncsort Ironstream for IBM z and IBM i • Enabling organizations to get machine data from System z and IBM i to Splunk for log analytics. • Extend What Splunk Does Already, to the Other ~40%-80% of IT Processing • 360ᵒ Degree View: Make the Splunk View of the Enterprise Complete • Same Splunk Dashboards, Bigger, More Complete Data Sets; Free Apps
- 9. Why Ironstream Less Complexity Collect mainframe and IBM i data; correlate with data from other platforms; no legacy system expertise required Clearer Security Information Identify unauthorized mainframe and IBM i server access, other security risks; prepares and visualizes key data for compliance audits Healthier IT Operations Real-time alerts identify problems in all key environments View latency, transactions per second, exceptions, etc. Effective Problem-Resolution Management Real-time views to identify real or potential failures earlier; view related 'surrounding' information to support triage repair or prevention Higher Operational Efficiency Enhanced event correlation across systems; Staff resolves problems faster; “do more with less” Eliminate Your Mainframe and IBM i “Blind-Spots” Splunk/Elastic + Ironstream = Your 360ᵒ Enterprise View
- 10. Ironstream Demo
- 12. Federal Agency Meets Audit & Information Security Requirements with Syncsort Ironstream Challenge: Needed to collect and analyze operational log data from all of its many IT systems to meet ever- changing compliance requirements. The agency was (and is) using Splunk Enterprise but was missing critical Mainframe log data including: • Extremely sensitive authentication information • Enterprise-wide details on password changes, log-in successes and failures • Accounts being locked out of the mainframe systems. Results: With Syncsort Ironstream they have real-time enterprise-wide visibility into the most sensitive authentication procedures and data across their IT environment: The agency is now able to audit for unusual activity at the individual user levels, helping them detect security exposures such as: • Access from an unusual location, unusual network zone, or unusual time of day. • Changes to user privileges and rights. • Excessive data transmissions. • Unusual movement of data.
- 13. Q&A