The situation
Have you ever, in your life, heard a good sentence that
started with: “So, we have this mainframe... that has logging and compliance requirements…”
Yeah, me neither. But this was a unique situation that required a quick and creative
solution--and it needed to be done yesterday. Queue the horror music.
In summary: We needed to quickly log and make sense of mainframe data
for reporting and compliance reasons. The mainframe did not support external
logging such as syslog. However, the mainframe could produce a CSV file and
that file could be scheduled to upload to an FTP server (Not SFTP, FTPS, or SCP). Yikes!
Possible solutions
We could stand up an FTP server and use the Splunk Universal
forwarder to monitor the FTP upload directory, but we did not have extra
hardware or virtual capacity readily available. After a quick Google search, we
ran across this little gem of an app called the Splunk FTP Reviver app (written
by Luke Murphey): https://splunkbase.splunk.com/app/3318/.
This app cleverly creates a python FTP server using Splunk—best of all, it
leverages Splunk’s user accounts and role-based access controls.
How it worked
At a high level, here are the steps involved:
- Install the FTP Receiver app: https://splunkbase.splunk.com/app/3318/
- Create an index for the mainframe data (Settings -> Indexes -> New -> Name: mainframe)
- Create an FTP directory for the uploaded files (mkdir /opt/splunk/ftp)
- Create FTP Data input (Settings -> Data Inputs -> Local Inputs -> FTP -> New -> name: mainframe, port: 2121, path: ftp, sourcetype: csv, index: mainframe)
- Create a role with the ftp_write privileges (Settings -> Access Controls -> Roles: Add new -> Name: ftp_write, Capabilities: ftp_write)
- Create a Splunk user for the FTP Receiver app (Settings -> Access Controls -> Users: Add new -> Name: mainframe, Assign to roles: ftp_write)
- Configure the mainframe to send to the FTP Receiver app port (on your own for that one)
- Create a local data input to monitor the FTP upload directory and ingest as CSV (Settings -> Data inputs -> Local inputs -> Files and Directories -> New -> Browse to /opt/splunk/ftp -> Continuously monitor -> Sourcetype: csv, index: mainframe)
Illustrated, the solution looks like this:
Figure 1: Diagram of functional components
If you run into any issues, troubleshoot and confirm that
the FTP server is working via a common web browser.
Figure 2: Troubleshooting with the web browser
Conclusion
Putting aside concerns that the mainframe may be older than
most of the IT staff and the fact that FTP is still a clear-text protocol, this
was an interesting solution that was created using the flexibility of Splunk.
Add some mitigating controls and a little bit of SPL + dashboard design and it
may be the easiest and most powerful mainframe reporter in existence.
Figure 3: Splunk rocks, the process works