Chat with us, powered by LiveChat
min-width: mobile
min-width: 400px
min-width: 550px
min-width: 750px
min-width: 1000px
min-width: 1200px
NOTICE We have updated our Privacy Policy to include GDPR and the use of cookies. Click "Accept" to continue. ACCEPT

The Sagan Log Analysis Engine

What is Sagan log analysis engine?

Sagan is an open source (GNU/GPLv2) high performance, real-time log analysis & correlation engine that run under *nix operating systems (Linux/FreeBSD/OpenBSD/etc). It is written in C and uses a multi-threaded architecture to deliver high performance log & event analysis. Sagan's structure and rules work similarly to the Sourcefire/Cisco Snort or Suricata IDS/IPS engine. This was intentionally done to maintain compatibility with rule management software (oinkmaster/pulledpork/etc) and allows Sagan to correlate log events with your Snort/Suricata IDS/IPS system. Sagan can also write to Snort IDS/IPS databases via Unified2/Barnyard2. Sagan is compatible with all Snort/Suricata "consoles". For example, Sagan is will work with Sguil ( ), BASE, the Prelude IDS framework ( ) and proprietary consoles! (to name a few).  

Sagan supports many different output formats, log normalization (via, script execution on event detection, automatic firewall support via "Snortsam", GeoIP detection/alerting, multi-line log support (flowbit), time sensitive alerting and much more.

While the majority of systems support protocols like 'syslog',  you can use software like NXLog to send Sagan Microsoft Windows logs.

The development of Sagan is sponsored by Quadrant Information Security Team.  

For more details information,  visit the Sagan Wiki.

Sagan Log Analysis Engine Features.

  • Sagan’s multi-threaded architecture allows it to use all CPUs / cores for real-time log processing.
  • Sagan's CPU and memory resources are light weight. 
  • Sagan uses a similar rule syntax to Cisco’s “Snort” which allows for easy rule management and correlation with Snort or Suricata IDS / IPS systems.
  • Sagan can store alert data in Cisco’s “Snort” native “unified2” binary data format  or Suricata's JSON format for easier log-to-packet correlation.
  • Sagan is compatible with popular graphical-base security consoles like Snorby, BASE, Sguil, and EveBox.   
  • Sagan can easily export data from other SIEMs via syslog.
  • Sagan can track events based on geographic locations via IP address source or destination data (e.g., identifying logins from strange geographic locations).
  • Sagan can monitor usage based on time of day (e.g., writing a rule to trigger when an administrator logs in at 3:00 AM).
  • Sagan has multiple means of parsing and extracting data through liblognorm or built in parsing rule options like parse_src_ip, parse_dst_ip, parse_port, parse_string, parse_hash (MD5, SHA1,SHA256).
  • Sagan can query custom blacklists,  Bro Intel subscriptions like Critical Stack and “Bluedot”,  Quadrant Information Security threat intelligence feeds by IP address,  hashes (MD5, SHA1, SHA256),  URLs,  emails,  usernames, and much more.
  • Sagan’s “client tracking” can inform you when machines start or stop logging.   This helps you verify that you are getting the data you need.
  • Sagan uses “xbits” to correlate data between log events which allows Sagan to “remember” and flag events across multiple log lines and sources. 
  • Sagan uses Intra-Process communications between Sagan processes to share data.   Sagan can also use Redis (beta) to share data between Sagan instances within a network.
  • To help reduce “alert fatigue”,  Sagan can “threshold” or only alert “after” certain criteria have been met. 

Sagan News

  • [2019/07/03] - New Sagan & Sagan rule set released! See the Sagan 1.2.2 post for mode details. 
  • [2018/11/08] - New Sagan rule set released! See the rule release post for more details.  
  • [2018/11/07] - Sagan 1.2.1 released! See the Sagan 1.2.1 post for more details.
  • [2018/06/14] - Sagan 1.2.0 released! See the Sagan 1.2.0 post for more details.
  • [2018/05/29] - Sagan 1.1.9 released! See the Sagan 1.1.9 post for more details.
  • [2017/05/31] - Sagan 1.1.7 released with rules! See the Sagan 1.1.7 post for more details.
  • [2017/03/16] - Sagan 1.1.6 released with rules! See the Sagan 1.1.6 post for more details.
  • [2017/02/15] - Sagan 1.1.5 released! See the Sagan 1.1.5 post for more details.
  • [2016/12/30] - Sagan 1.1.4 released! See the Sagan 1.1.4 post for more details. See here for rule release information.
  • [2016/11/07] - Sagan 1.1.3 released! See the Sagan 1.1.3 post for more details. See here for rule release information.
  • [2016/09/23] - Sagan 1.1.2 released! See the Sagan 1.1.2 post for more details.
  • [2016/08/17] - Sagan 1.1.1 released! See the Sagan 1.1.1 post for more details.
  • [2016/07/06] - Sagan 1.1.0 released! See the Sagan 1.1.0 post for more details.
  • [2015/11/19] - Sagan 1.0.1 released! See the Sagan 1.0.1 post for more details.
  • [2015/10/23] - Sagan 1.0.0 released!  See the Sagan 1.0.0 blog post for more information!