Quadrant Information Security is proud to release the Sagan (GPLv2/Open Source) log analysis engine version 1.2.1! Please keep in mind that if you are upgrading from an older version of Sagan, you will need to remove old IPC data as 1.2.1 is not compatible with older Sagan IPC data.
For more information about Sagan, see:
* Sagan can now read JSON via the FIFO. Traditionally, Sagan has used a pipe delimited format. This means that you can have your syslog daemon (rsyslog, syslog-ng, nxlog, etc) send Sagan data in JSON through the FIFO. There is a new input JSON mapping file (json-input.map) to assist with JSON mapping of input.
* New JSON “message” & “program” parsing and auto detection. When enabled, this allows Sagan to read in JSON data from the syslog “message” field. In some cases (third party “Splunk” forwarding) the JSON will start within the syslog “program” field. This option allows Sagan to automatically detect the JSON and find the best mapping for the data. There is a new mapping file “json-message.map”. After JSON is decoded, Sagan “scores” the mappings. The best score “wins”.
* Fixed flow issue where destination wouldn’t be honored in certain situations.
* Fix issue with “after” that cause false positives.
* Due to many changes, “saganpeek.c” had to be altered to support new “threshold” and “after” options.
* New –enable-libfastjson configure option
* “rev” and “sid” are now proper uint32_t and uint64_t
* Complete re-write of “after” and “threshold”. The new system is more flexible and easier to maintain. This allows the rule writer to specify multiple conditions for a “threshold” or “after”.
* Added experimental “xbit_upause” rule option. This causes a rule to “pause” for X microseconds before performing an xbit operation.
* New “rule-tracking” yaml options. This allows tracking of rules that have never fired verses rules that have fired. This can be useful in rule tuning.
* Added “skip_networks” yaml option to GeoIP and Bluedot. This option tells Sagan to “skip” lookups for defined network.
* Various GeoIP fixes. Change ./configure options from –enable-geoip2 to –enable-geoip
* When using NXLog as a syslog receiver, NXLog doesn’t handle named pipes/FIFOs. We created a “help” program so that NXLog can write to FIFOs more efficiently.
* Is_IP() and Is_IP6() is now one function.
* Better thread safety upon exit. On systems with high loads, Sagan would sometimes segfault upon exit. This corrects that issue.
* Re-write of how Sagan produces JSON. Sagan can now store _all_ logs in a JSON output format. This makes it easy to get all logs into back-ends like Elasticsearch, etc.
* Removed duplicate rule set load in default sagan.yaml of “windows-security.yaml”. Also correct in the default sagan.yaml that cisco-acs.rules is now cisco-ise.rules. Thanks msnriggs!
* In certain situations, Sagan would segfault when an non-IP address was being looked up in Bluedot.
* Some minor memory fixes and cleanups identified by Valgrind.
* Fixes for Bluedot. Added max-ip-cache, max-hash-cache, max-url-cache, and max-filename-cache to Bluedot processor. Added new DNS “ttl” option to Bluedot processor to limit the number of times Sagan will lookup the Bluedot host. Added some new statistics to Bluedot output. Added a new Bluedot IP queue for dealing with many lookups at a time.