Sagan is an open source (GNU/GPLv2) high performance, real-time log analysis & correlation engine that run under *nix operating systems (Linux/FreeBSD/OpenBSD/etc). It is written in C and uses a multi-threaded architecture to deliver high performance log & event analysis. Sagan's structure and rules work similarly to the Sourcefire/Cisco Snort or Suricata IDS/IPS engine. This was intentionally done to maintain compatibility with rule management software (oinkmaster/pulledpork/etc) and allows Sagan to correlate log events with your Snort/Suricata IDS/IPS system. Sagan can also write to Snort IDS/IPS databases via Unified2/Barnyard2. Sagan is compatible with all Snort/Suricata "consoles". For example, Sagan is will work with Sguil ( http://sguil.sourceforge.net ), BASE, the Prelude IDS framework ( https://www.prelude-ids.org ) and proprietary consoles! (to name a few).
Sagan supports many different output formats, log normalization (via http://www.liblognorm.com), script execution on event detection, automatic firewall support via "Snortsam", GeoIP detection/alerting, multi-line log support (flowbit), time sensitive alerting and much more.
While the majority of systems support protocols like 'syslog', you can use software like NXLog to send Sagan Microsoft Windows logs.
The development of Sagan is sponsored by Quadrant Information Security Team.
Fore more details information, visit the Sagan Wiki.