Chat with us, powered by LiveChat
min-width: mobile
min-width: 400px
min-width: 550px
min-width: 750px
min-width: 1000px
min-width: 1200px
NOTICE We have updated our Privacy Policy to include GDPR and the use of cookies. Click "Accept" to continue. ACCEPT

The Sagan Log Analysis Engine

What is Sagan log analysis engine?

Sagan is an open source (GNU/GPLv2) high performance, real-time log analysis & correlation engine that run under *nix operating systems (Linux/FreeBSD/OpenBSD/etc). It is written in C and uses a multi-threaded architecture to deliver high performance log & event analysis. Sagan's structure and rules work similarly to the Sourcefire/Cisco Snort or Suricata IDS/IPS engine. This was intentionally done to maintain compatibility with rule management software (oinkmaster/pulledpork/etc) and allows Sagan to correlate log events with your Snort/Suricata IDS/IPS system..Sagan supports many different output formats, log normalization (via, script execution on event detection, GeoIP detection/alerting, multi-line log support, time sensitive alerting and much more.

While the majority of systems support protocols like 'syslog',  you can use software like NXLog to send Sagan Microsoft Windows logs.

The development of Sagan is sponsored by Quadrant Information Security Team.  

For more details information,  visit the Sagan "Read The Docs" page at

Sagan Log Analysis Engine Features.

  • Multi-threaded architecture allows it to use all CPUs / cores for real-time log processing.
  • CPU and memory resources are light weight. 
  • Built in JSON parsing
  • Similar rule syntax to Cisco’s “Snort” which allows for easy rule management and correlation with Snort or Suricata IDS / IPS systems.
  • Can store alert data in Cisco’s “Snort” native “unified2” binary data format  or Suricata's JSON format for easier log-to-packet correlation.
  • Compatible with popular graphical-base security consoles like Snorby, BASE, Sguil, and EveBox.   
  • Easily export data from other SIEMs via syslog.
  • Can track events based on geographic locations via IP address source or destination data (e.g., identifying logins from strange geographic locations).
  • Can monitor usage based on time of day (e.g., writing a rule to trigger when an administrator logs in at 3:00 AM).
  • Has multiple means of parsing and extracting data through liblognorm or built in parsing rule options like parse_src_ip, parse_dst_ip, parse_port, parse_string, parse_hash (MD5, SHA1,SHA256).
  • Can query custom blacklists,  Bro Intel subscriptions like Critical Stack and “Bluedot”,  Quadrant Information Security threat intelligence feeds by IP address,  hashes (MD5, SHA1, SHA256),  URLs,  emails,  usernames, and much more.
  • “client tracking” can inform you when machines start or stop logging.   This helps you verify that you are getting the data you need.
  • “xbits” to correlate data between log events which allows Sagan to “remember” and flag events across multiple log lines and sources. 
  •  Intra-Process communications between Sagan processes to share data.   Sagan can also use Redis (beta) to share data between Sagan instances within a network.
  • helps reduce “alert fatigue" through “threshold” or only alert “after” certain criteria have been met. 

Sagan News

  • [2021/02/08] - Sagan 2.0.1 released! See the Sagan 2.0.1 release information. 
  • [2021/01/11] - New Sagan & Sagan rule sets released! See the Sagan 2.0.0 for more information. 
  • [2019/07/03] - New Sagan & Sagan rule sets released! See the Sagan 1.2.2 post for mode details. 
  • [2018/11/08] - New Sagan rule set released! See the rule release post for more details.  
  • [2018/11/07] - Sagan 1.2.1 released! See the Sagan 1.2.1 post for more details.
  • [2018/06/14] - Sagan 1.2.0 released! See the Sagan 1.2.0 post for more details.
  • [2018/05/29] - Sagan 1.1.9 released! See the Sagan 1.1.9 post for more details.