LegacyTel

LegacyTel is a zero-dependency, high-performance Go-based log normalization gateway designed to bridge the gap between legacy core infrastructure (IBM z/OS Mainframe SMF, IBM i AS/400 QAUDJRN, HPE NonStop EMS) and Splunk. It securely ingests, decodes CP1047 EBCDIC, and maps native legacy security events directly into standard, Splunk CIM-compliant structures.

Built by Ganapati Sridhar

Last Updated

June 3, 2026

Compatibility

This app has no available versions

Rating

0

(0)

Support

Developer Supported addon

The LegacyTel Add-on for Splunk addresses one of the most critical and costly blind spots in modern Security Operations Centers (SOCs): the lack of visibility into legacy core transaction systems. Mainframes and midrange platforms (IBM z/OS, IBM i Series/AS400, and HPE NonStop Tandem) run the vast majority of global core transactional workloads. However, their operational and audit logs—such as SMF, QAUDJRN, and EMS records—remain highly siloed. They are written in complex binary formats and EBCDIC (Code Page 1047) character encodings that modern security pipelines cannot read. Traditionally, onboarding these logs required heavy, expensive, proprietary proprietary agents that added high compute overhead to production environments. LegacyTel solves this challenge natively as an open-source, ultra-lightweight observability gateway written in pure Go (standard-library only). Purpose & Capabilities: - Ingests native, raw event streams from z/OS SMF, IBM i QAUDJRN, and HPE NonStop EMS over secure TCP sockets. - Translates character encodings instantly using an optimized, zero-allocation CP1047 EBCDIC-to-ASCII translation table. - Normalizes disparate legacy schemas into a unified, standard compliance taxonomy (such as LL01-CM04 codes for login, configuration, and privilege modifications). - Decouples core legacy performance from Splunk latency using an asynchronous, buffered concurrent pipeline. - Fully secures data in transit over internal networks utilizing TLS 1.2/tls 1.3 and Mutual TLS (mTLS) with client certificate verification. - Packages parsing, field extraction, and Common Information Model (CIM) configurations (Props/Transforms) to ensure all legacy logs instantly map to standard Splunk datasets (e.g. Authentication, Change, and Performance). By normalizing logs at the ingest layer and providing pre-built CIM mapping configurations, the LegacyTel Add-on for Splunk enables organizations to establish a unified, real-time security posture across legacy and cloud environments without high compute overhead or expensive proprietary forwarders.