Steve Estle wrote: >We are embarking on an endeavor to explore sending logics to a >tool called Sumologic(sumologic.com). For those who are unaware, >Sumologic is a competitor to Splunk and contains a very powerful real >time log parsing analytics engine which can be used to build dashboards, >alerts, and more. My basic question is has anyone heard of or actually >been involved in devising ways to send ZOS logs into Sumalogic – our >initial efforts will be security related, but for now am just asking if >anyone has any experience in this realm at all? Or maybe you are >doing something similar to Splunk?
I’m not too familiar with Sumo Logic, but they say they can ingest several different log/event feeds, notably LEEF (Log Event Enhanced Format). zSecure Alert and zSecure Audit do a great job providing LEEF (and other format) feeds to the likes of Splunk, QRadar, ArcSight, and others. Here’s an entry point into the zSecure documentation to explain more: https://www.ibm.com/docs/en/szs/3.1.0?topic=deployment-data-preparation-siem To set expectations a bit, even the best z/OS event feed(er), with lots of customization and enrichment options, can only partially help Sumo Logic and its users interpret, correlate, and understand z/OS-specific events. There’s a lot of work that goes into QRadar’s Device Support Modules (DSMs) and AI to understand what’s really happening in z/OS in context, and to display meaningful information to users who don’t necessarily know much about z/OS specifically. So just be prepared to do at least some work to make the feed(s) from z/OS more useful within Sumo Logic — work on both ends. In other words, most of the value in this class of dashboarding and analysis tools is in, well, how much useful analysis they provide. Feeding the tool (even with the best feed) is only part of the story. Metaphorically speaking you could feed hospital-related events to a control center at a steel manufacturer. And that hospital event feed could be the world’s best feed, with lots of enriched data and everything you could ever want to know about what’s happening at the hospital. But a steel manufacturer that understands steel-related events — and maybe also nickel-related, copper-related, and car manufacturing-related events in a pinch — could be bewildered when it receives hospital-related events. True, it’s all English (or some other common language), but what does it mean when there’s a gray alert followed by a pink alert? Are those two events related? And what is a gray alert anyway? Or a pink alert? Answering my own questions, these events could be related. “Gray” means a combative person, and “pink” means an infant abduction. But I didn’t know that until 5 minutes ago. ————— Timothy Sipples Senior Architect Digital Assets, Industry Solutions, and Cybersecurity IBM Z/LinuxONE, Asia-Pacific [email protected] ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
