Ibm Datapower

LogZilla App Store application: Ibm Datapower

Overview

IBM DataPower Gateway is an enterprise API gateway and security appliance that provides API management, XML/JSON transformation, security enforcement, and integration services. DataPower appliances generate syslog messages for API transactions, security events, authentication, and system operations.

App Function

  • Parse DataPower syslog messages in timestamped bracket format
  • Extract metadata tags for filtering and analysis
  • Categorize events by Event Class (auth, security, network, system)
  • Map security events to MITRE ATT&CK techniques
  • Provide dashboards for API gateway monitoring
  • Alert on XML attacks, authentication failures, rate limits, and SSL errors

Vendor Documentation

LogZilla Configuration

IBM DataPower requires a dedicated syslog port in LogZilla due to its non-RFC timestamp format:

  1. Navigate to Settings > System > Application Ports
  2. Set IBM DataPower syslog port to a dedicated port (e.g., 5515)
  3. Click Save

The syslog and parser services reload automatically. Both TCP and UDP listeners are enabled on the configured port.

Device Configuration

Configure DataPower to send syslog messages to the dedicated port configured above:

  1. Log into the DataPower WebGUI
  2. Navigate to Objects > Logging Configuration > Log Target
  3. Click Add to create a new log target
  4. Set Type to syslog-tcp or Syslog
  5. Configure the remote host as the LogZilla server IP address
  6. Set the port to the dedicated port configured in LogZilla (e.g., 5515)
  7. Add event subscriptions for desired categories
  8. Click Apply and save the configuration

Verification

Generate API traffic through the DataPower gateway, then verify events appear in LogZilla with Vendor tag set to IBM and Product tag set to DataPower Gateway.

Incoming Log Format

DataPower syslog messages follow this format:

text
<timestamp> [<code>][<category>][<level>] <object>(<name>): <message>
  • timestamp - ISO format timestamp (e.g., 20210415T222042.990Z)
  • code - Hex message code (e.g., 0x00a60002)
  • category - Log category (mpgw, xmlparse, ssl, auth, etc.)
  • level - Log level (info, warn, error, critic, alert, emerg)
  • object - DataPower object type
  • name - Object instance name
  • message - Event description with transaction details

Parsed Metadata Fields

Tag NameExampleDescription
VendorIBMVendor name
ProductDataPower GatewayProduct name
Event ClasssecurityCross-vendor classification
MitreIdT1059MITRE ATT&CK technique ID
MITRE TacticExecutionMITRE ATT&CK tactic
DataPower CategorympgwLog category
DataPower LevelerrorLog level
DataPower ObjectmpgwObject type
SrcIP10.11.66.50Source IP address (HC)

Log Examples

API Gateway Transaction

text
20210415T222042.990Z [0x00a60002][mpgw][info] mpgw(simple):
tid(35169)[error][10.11.66.50]: Message rejection

XML Attack Detection

text
20210415T223737.028Z [0x80e003aa][xmlparse][error] mpgw(simple):
tid(39617)[response][10.11.66.50]: attribute limit exceeded

Rate Limit Triggered

text
20210415T222042.990Z [0x80e00183][monitor][error]
monitor-action(simple-monitor-action): tid(35169)[10.11.66.50]:
Message monitor triggers filter

MITRE ATT&CK Mapping

Event TypeTechniqueTactic
XML Parse ErrorT1059Execution
Auth FailureT1110Credential Access
SSL/TLS ErrorT1573Command and Control
Rate Limit/DoST1499Impact
OAuth/JWT AttackT1528Credential Access
SAML AttackT1606Credential Access

Dashboards

DashboardDescription
IBM DataPower: OverviewEvents, errors, security, sources, MITRE tactics

Triggers

TriggerDescription
IBM DataPower: MITRE ATT&CK Threat DetectedEvents with MITRE mapping
IBM DataPower: XML Attack DetectedXML parsing errors (T1059)
IBM DataPower: Authentication FailureAuth failures (T1110)
IBM DataPower: Rate Limit TriggeredDoS/rate limit events (T1499)
IBM DataPower: SSL/TLS ErrorSSL/crypto errors (T1573)
IBM DataPower: Critical System EventCritical/alert/emergency events
Ibm Datapower | LogZilla Documentation