© 2016 IBM Corporation

IT Analytics Real-time Zugriff auf SMF- und z/OS Logdaten zur Analyse von operationalen Daten

Architektentage, IBM Böblingen

16. November 2016

Jost Mumm Leading Technical Sales Professional

jostmumm@de.ibm.com

+49 / 171 / 304 59 40

© 2016 IBM Corporation

Why should I care?

Costs and outages are top of mind for clients

A recent survey of z Systems clients showed

cost reduction and outage prevention as

the top 2 factors where they want to focus

operational efforts. (Analyst firm IDC)

Predictive analytics for proactive outage prevention

Use machine learning to predict problems before they happen

Improve time-to-resolution for day-to-day operational issues

The need for near-real-time data means this makes sense delivered on-premise

2

© 2016 IBM Corporation

Why should I care?

Increase operational efficiency

Quickly search large volumes of log data from a single search bar

Perform log analysis with patterns while searching

Correlate messages from multiple logs for end-to-end problem diagnosis

Focus on accessibility for newer mainframe users with in-built expertise and advice

Overcome different responsibilities or missing access authorities

IT Analytics your way: Smarter data handling

Unleashing z operational data should be able to send it where you need to

Clients need a simple way to pull important system diagnostic data one time

3

© 2016 IBM Corporation

z Operational Analytics Strategy *

Insights

Platform

Data

Eco system enablement w/Partners

z/OS

IBM Operational Analytics - On-Premise

Anomaly Detection

Non- IBM platforms

Other IBM consumers (IDAA, zSecure,

IBM zAware) Common Data

Provider

Metrics

API

IBM and non-IBM platforms

other

Predictive Serv

ices

fr

amew

ork

Systems and Domain focus

Watson Analytics

IBM z Operational Insights -SaaS

Logs

Cognitive

Delivering z/OS data to multiple consumers

* Statements regarding IBM future direction and intent are subject to change or withdrawal, and represents goals and objectives only.

SMF

IBM zAware

z Operational Insights multi platform and Actionable

SaaS and On Premise

• Broader IBM

• Rocket (ISV)

• Fundi (ISV)

Cloud

5

© 2016 IBM Corporation

What is IBM zAware?

6

With IBM zAware

Time

Problem

Decide

what to do

Business Impact

Application Steady State

shutdown

gathering of diagnostic information

restart

Detect changing

conditions

More Precise Corrective

Action

Without IBM zAware

Problem

Decide

what to do

Business Impact

Application Steady State

shutdown restart

gathering of

diagnostic

information

Time

Little advanced warning

Often,

Multiple Attempts to

Correct Problem

IBM zAware host

IBM

zAware

Host

Partition

IBM zAware monitored client

IBM

zAware

Web

GUI to

monitor

results

zOS

Linux

zKVM

Linux

zOS

Linux

zVM

Linux

IBM z Advanced Workload Analysis Reporter

Delivers pattern recognition analytics

applied to system log messages

– Helps diagnose major problems

while they are occurring in near

real time

– Heightens awareness of small

problems before they become

big problems

– Reduces mean time to recovery

© 2016 IBM Corporation 7

IBM zAware – Near real-time message analysis & anomaly detection Drilling down into a z/OS Sysplex

© 2016 IBM Corporation

IBM zAware – Internal View Anomalous messages at the top & showing ability to link to message history

8

© 2016 IBM Corporation

IBM zAware – All instances of a message known to zAware

9

© 2016 IBM Corporation

Inside IBM zAware

Incoming log is processed (OPERLOG)

– Including messages from IBM and

non-IBM products and customer

applications

Summarizes common message text and

records the occurrences

A sliding minute window is used to

generate the current score for the system.

– 10 minute window for z/OS, 60 for Linux

The current score is updated every 2 minutes

Builds a model of normal behavior based on recent baseline data (called “Training”)

– Automatically re-trains every 30 days (configurable and can be forced)

– Unusual days can be excluded from future models

– Compares each system against the model

Assigns a message anomaly score to indicate deviation from the model

– Message rarity, Out of context from normal patterns, High counts, Periodicity

Results are stored in XML files on the partition (Secure Service Container)

10

© 2016 IBM Corporation IBM Confidential

Common Data Provider for z Systems

© 2016 IBM Corporation

Common Data Provider for z Systems – Architecture

14

© 2016 IBM Corporation

Common Data Provider for z Systems – Streamed SMF Data

15

APAR OA49263 for z/OS V2.1

or V2.2

© 2016 IBM Corporation

Common Data Provider for z Systems – Streamed Log and File Data

16

© 2016 IBM Corporation

Common Data Provider for z Systems – Batch Gatherer

17

© 2016 IBM Corporation

z/OS data ingestion pipeline

18

Log Analysis z/OS Log Forwarder

System Data Engine

System Data Engine collects SMF data and forwards them to the CDPz Data Streamer

z/OS Log Forwarder collects log data and forwards them to the CDPz Data Streamer

CDPz Data Streamer transforms log and SMF data to UTF-8 and forwards them to Logstash

using the TCP protocol

Logstash receives data using the tcp input plugin and forwards to the Log Analysis server

using the ioaz output plugin

Logstash input / output plugins: https://www.elastic.co/guide/en/logstash/current/index.html

tcp input

Logstash

output plugin

CDPz Data Streamer

© 2016 IBM Corporation

CDP Configuration – easy with web based graphical editor New, z/OSMF based configuration utility

19

© 2016 IBM Corporation

CDP Configuration – easy with web based graphical editor Add and configure sources, transforms and subscribers

20

© 2016 IBM Corporation

Near real time access to Analytics Data with IBM Common Data Provider for z Systems

A single source for all operational data streamed to the analytics platform of choice

21

CDP answering the call for consumable, near real time operational data

• Web-based interface to easily configure sources, transforms and destinations

• Data gatherers on the HOST easily installed in minutes

• Data available both on and off platform in near real time or batch mode

Built to improve the ability to manage the growing complexity of data requests:

• All standard IBM SMF records can be collected in readable, consumable CSV format

• Collect once – write many saves time and money

• Open standard makes analytical data available to IBM and non-IBM analytics platforms

First consumer:

SMF- and Log Data streamed

to IOAz for a complete view of

the enterprise

IBM Confidential

Tivoli Decision Support for z/OS customers can write their SMF data direct to IDAA

• Operational and storage savings

• Key performance metrics available in near real time

• Access to the IDAA high speed query engine

© 2016 IBM Corporation

Logs Metrics Events Docs

IT Operations

App Support

Service Desk

Search and Visualize Insight Packs

Collects large volumes of structured and semi-structured data and transforms it through analytics into actionable intelligence.

IBM Operations Analytics for z Systems – Log Analysis

22

© 2016 IBM Corporation

IBM Operations Analytics for z Systems

25

Mainframe

z/OS

zLinux

WAS SYSPRINT

WAS SYSOUT

DB2

DB2 App

Syslog

Web Access Log

Other Logs

WAS SYSOUT

z/OS Syslog

CICS MSGUSR

CICS EYULOG

WAS SYSPRINT

USS Log Files

Other Logs

Joblogs

VSAM ESDS

NetView Netlog

SMF Data

Co

mm

on

Data

Pro

vid

er

for

z S

yste

ms

IT

M L

og

F

ile A

gen

t

Logstash

Secure

Service

Container

(SSC)

IBM zAware

Operations Analytics server

Generic Receiver

zAware Data

Gatherer

z/OS

Insight

Packs

Search Dashboards

Linux on x, p, z

Problem

Insights

Had

oo

p

Tie

r

Arc

hiv

e

Tie

r

* Possible log collection agents: syslogd, Elastic Filebeat, Logstash, etc.

Log collection agents *

Netcool

OMNIbus

Events

Distrib.

Insight

Packs

Custom

Insight

Packs

Annotater

Cu

rren

t

Tie

r

Indexer

Alerts

© 2016 IBM Corporation

IBM Operations Analytics for z Systems V3.1 IBM’s latest z IT Analytics solutions

27

Predictive analytics and enhanced log analysis for proactive outage prevention

– The first generation focused on log analytics and search

– Integration of zAware adds machine learning for predictive analytics and anomaly

detection, for outage prevention paired with comprehensive root cause analysis

with recommended actions

IT Analytics your way: Smarter data handling

– A single source for z/OS Operational Data in a flexible, consumable format both on-

and off- platform

– Can supply data to IBM analytics solutions, as well as other analytics platforms

such as Splunk

© 2016 IBM Corporation

© 2016 IBM Corporation