Chat with us, powered by LiveChat
Customer Login
Call Us: 800.538.9357
Book a meeting

Sagan Log Analysis Engine

Get a high performance, real-time log analysis & correlation engine

Contact Us
Our Enterprise IT Security Certifications
sscp
cissp
gcih
iso
Previous
Next
What is the Sagan log analysis engine?

Sagan is an open source (GNU/GPLv2) high performance, real-time log analysis & correlation engine that run under *nix operating systems (Linux/FreeBSD/OpenBSD/etc). It is written in C and uses a multi-threaded architecture to deliver high performance log & event analysis. Sagan’s structure and rules work similarly to the Sourcefire/Cisco Snort or Suricata IDS/IPS engine.

It maintains compatibility with rule management software (oinkmaster/pulledpork/etc) and allows Sagan to correlate log events with your Snort/Suricata IDS/IPS system. 

Elite IT Security Staffing
security information and event management (SIEM) system
Automate your log management

Sagan supports many different output formats, log normalization (via http://www.liblognorm.com), script execution on event detection, GeoIP detection/alerting, multi-line log support, time sensitive alerting and much more.

While the majority of systems support protocols like ‘syslog’,  you can use software like NXLog to send Sagan Microsoft Windows logs.

The development of Sagan is sponsored by Quadrant Information Security Team.  

For more details information,  visit the Sagan “Read The Docs” page at https://sagan.readthedocs.org

Learn More

Download Saganhttps://download.quadrantsec.com
Download Sagan Rules – https://rules.quadrantsec.com
Sagan on Github – https://github.com/quadrantsec/sagan
Sagan Documentationhttps://sagan.readthedocs.org
Issues & Bugs – https://github.com/quadrantsec/sagan/issues
Sagan Mailing List https://groups.google.com/g/sagan-users

Sagan Log Analysis Engine Features:
  • Multi-threaded architecture allows it to use all CPUs / cores for real-time log processing.
  • CPU and memory resources are light weight.
  • Built in JSON parsing
  • Similar rule syntax to Cisco’s “Snort” which allows for easy rule management and correlation with Snort or Suricata IDS / IPS systems.
  • Can store alert data in Cisco’s “Snort” native “unified2” binary data format or Suricata's JSON format for easier log-to-packet correlation.
  • Intra-Process communications between Sagan processes to share data. Sagan can also use Redis (beta) to share data between Sagan instances within a network.
  • Compatible with popular graphical-base security consoles like Snorby, BASE, Sguil, and EveBox.
  • Easily export data from other SIEMs via syslog.
  • Can track events based on geographic locations via IP address source or destination data (e.g., identifying logins from strange geographic locations).
  • Can monitor usage based on time of day (e.g., writing a rule to trigger when an administrator logs in at 3:00 AM).
  • “xbits” to correlate data between log events which allows Sagan to “remember” and flag events across multiple log lines and sources.
  • Has multiple means of parsing and extracting data through liblognorm or built in parsing rule options like parse_src_ip, parse_dst_ip, parse_port, parse_string, parse_hash (MD5, SHA1,SHA256).
  • Can query custom blacklists, Bro Intel subscriptions like Critical Stack and “Bluedot”, Quadrant Information Security threat intelligence feeds by IP address, hashes (MD5, SHA1, SHA256), URLs, emails, usernames, and much more.
  • “client tracking” can inform you when machines start or stop logging. This helps you verify that you are getting the data you need.
  • helps reduce “alert fatigue" through “threshold” or only alert “after” certain criteria have been met.

How Clients Have Benefited from Working with Quadrant Information Security

Healthcare Provider

Healthcare client needed to reassess their security strategy around compliance, monitoring, and working remotely.

Read Case Study
National Retail Chain

The customer needed to replace a SIEM product and outsource their network security monitoring.

Read Case Study
Accounting Firm

A complete security solution that reduced the burden on the staff so they can focus on more essential activities to the firm.

Read Case Study
security information and event management (SIEM) system
Sagan News
  • [2021/02/08] – Sagan 2.0.1 released! See the Sagan 2.0.1 release information. 
  • [2021/01/11] – New Sagan & Sagan rule sets released! See the Sagan 2.0.0 for more information. 
  • [2019/07/03] – New Sagan & Sagan rule sets released! See the Sagan 1.2.2 post for mode details. 
  • [2018/11/08] – New Sagan rule set released! See the rule release post for more details.  
  • [2018/11/07] – Sagan 1.2.1 released! See the Sagan 1.2.1 post for more details.
  • [2018/06/14] – Sagan 1.2.0 released! See the Sagan 1.2.0 post for more details.
  • [2018/05/29] – Sagan 1.1.9 released! See the Sagan 1.1.9 post for more details.

Stay Connected

footer-q-logo

Contact Quadrant

4651 Salisbury Road, Suite 315
Jacksonville, Florida 32256

About Us

Our Solutions

Resources

We have updated our Privacy Policy to include GDPR and the use of cookies. Click "Accept" to continue.

ACCEPT