Introduction and Architecture

Overview

Event-Driven Ansible (EDA) is an automation framework that connects event sources to automated responses through rulebooks, allowing for intelligent, automated decision-making based on events that occur in your infrastructure.

EDA is a pre-built, tested, and supported automation validated content for IBM Z environments, ensuring reliability and best practices out of the box.

For more information on validated content, see Certified and Validated Content.

Core capabilities

  • Real-time monitoring of IBM z/OS systems, subsystems, and applications.

  • Automated incident response to system events and alerts.

  • Proactive problem resolution before issues affect business operations.

  • Integration with existing z/OS monitoring tools and event management systems.

  • Compliance automation for mainframe security and operational policies.

Key benefits

  • Reduced mean time to detect (MTTD) and mean time to resolve (MTTR): Faster detection and resolution of issues.

  • 24/7 automation: Continuous monitoring and response without human intervention.

  • Consistency: Standardized responses to common events.

  • Scalability: Ability to handle multiple z/OS systems and logical partitions (LPARs) simultaneously.

  • Integration: Connection between mainframe events and enterprise automation workflows.

Architecture

The following architecture illustrates how Event-Driven Ansible for IBM Z automates the detection, evaluation, and response to security events in a z/OS environment.

In this scenario, a security event generated on z/OS is captured, enriched, and streamed through an event pipeline. Event-Driven Ansible evaluates the event against defined rules and triggers an automation playbook to perform the appropriate response.

Architecture flow

Security event generated on z/OS
       ↓
Security monitoring solution detects the event
       ↓
WTO or syslog message created
       ↓
Common Data Provider captures and enriches the event
       ↓
Kafka publishes the event to subscribed consumers
       ↓
Event-Driven Ansible rulebook evaluates the event
       ↓
Automation Controller runs the playbook
       ↓
Playbook validates the event and performs actions
       ↓
Notify stakeholders or execute remediation

Architecture explanation

Security event generation

A security-related event, such as a configuration change, access request, policy violation, or privileged operation, occurs on a z/OS system.

Event detection

Security monitoring tools identify the event and generate an alert for further processing.

Message creation

The detected event is recorded as a WTO or syslog message, making it available through the z/OS logging infrastructure.

Event capture and enrichment

IBM Common Data Provider for z Systems captures the message, enriches it with additional context, and forwards it to the Data Streamer.

Event transformation and streaming

The Data Streamer formats and transforms the event before publishing it to a Kafka topic for downstream consumers.

Event evaluation

An Event-Driven Ansible rulebook subscribes to the Kafka topic and evaluates the incoming event against predefined conditions.

Automated execution

When a rule matches, Event-Driven Ansible invokes Automation Controller to execute the associated playbook.

Response and notification

The playbook validates the event and performs the following configured actions.

  • Sending notifications to security or operations teams.

  • Collecting additional diagnostic information.

  • Executing remediation tasks.

  • Creating audit records or tickets.

  • Initiating follow-up automation workflows.

Why this architecture matters

This architecture demonstrates how IBM Z security events can be integrated into an enterprise event-driven automation workflow. By combining native z/OS monitoring capabilities with Event-Driven Ansible, organizations can automate the processing and response to security events while maintaining consistent operational practices.

This design provides the following benefits.

  • Faster detection and processing of security events.

  • Automated and consistent response workflows.

  • Centralized orchestration through Ansible Automation Platform.

  • Improved operational efficiency by reducing manual intervention.

  • Enhanced auditability and traceability across the event lifecycle.

Components

Security event sources on z/OS

The z/OS environment generates security and operational events that drive the automation workflow. Typical event sources include:

  • SAF and RACF for authorization and access management.

  • IBM zSecure solutions for security monitoring and alert generation.

  • WTO, syslog, RACF database, and SMF for logging and audit records.

Common Data Provider and event transport

IBM Common Data Provider for z Systems captures and forwards z/OS event data by using the following.

  • zLog Forwarder to capture system messages.

  • Configuration Tool to define routing and transformation rules.

  • Data Streamer to normalize and package events.

  • Kafka to distribute event streams to subscribed consumers.

Event-Driven Ansible rulebook engine

The Event-Driven Ansible layer performs the following actions.

  • Subscribes to security event streams.

  • Evaluates incoming events against rulebook conditions.

  • Correlates event data when required.

  • Triggers automated actions based on matching rules.

Automation content

Automation content defines how the following events are processed.

  • Rulebooks specify event sources, conditions, and actions.

  • Playbooks implement validation, orchestration, and remediation logic.

  • IBM Z collections provide modules for interacting with z/OS systems and services.

Execution and response

Automation Controller executes the required automation tasks, which can include the following.

  • Validating security events against organizational policies.

  • Running z/OS automation tasks.

  • Executing remediation or recovery actions.

  • Sending notifications to administrators or operations teams.

  • Recording results for auditing and compliance purposes.