Sagan (software)
Original author(s) | Champ Clark III |
---|---|
Developer(s) | Quadrant Information Security |
Stable release |
1.1.3
/ 7 November 2016 |
Development status | Active |
Written in | C |
Operating system | Unix-like |
Available in | English |
Type | Log analysis |
License | GNU GPL v2 |
Website |
sagan |
Sagan[1] is an open source (GNU/GPLv2) multi-threaded, high performance, real-time log analysis & correlation engine developed by Quadrant Information Security that runs on Unix operating systems. It is written in C and uses a multi-threaded architecture to deliver high performance log & event analysis. Sagan's structure and rules work similarly to the Sourcefire Snort IDS/IPS engine. This allows Sagan to be compatible with Snort rule management software and give Sagan the ability to correlate with Snort IDS/IPS data. Sagan can record events to the Snort "unified2" output format which makes Sagan compatible with user interfaces such as Snorby, Sguil, BASE and proprietary consoles
Sagan supports different output formats for reporting and analysis, log normalization, script execution on event detection, automatic firewall support via "Snortsam", GeoIP detection/alerting, multi-line log support, and time sensitive alerting.
References
- ↑ "Sagan Main Wiki". Sagan Main Wiki. Champ Clark.
- Sagan Resources
- "Centralized and structured log file analysis with Open Source and Free Software tools" Bachelor Thesis by Jens Kühnel
- IPSS.ca "Course objectives"
- "Securing your Mikrotik Network" by Andrew Thrift (Presentation)
- HOWTO build Sagan on FreeBSD
- Sagan was one of the "top security tools" & won a "Bossie Award" from Infoworld.com.
- Installing Sagan onCentOS 5/6 (Linux) for log monitoring.
- IPSS.ca "Course objectives"
- Champ Clark talks about Sagan on "Pauldotcom Security weekly" - December, 12th, 2013.
- Linux Pro Magazine article that discusses using Sagan for log monitoring.
- Article written by Champ Clark about using Kismet, Snort and Sagan to build wireless IDS monitoring device.
- Champ Clark's guest posting on Rainer's (author of rsysyslog) blog about Sagan and log analysis.
- Log, Log, Log Everything Remotely.
- Using Sagan with Bro Intelligence feeds.
- What the Sagan Log Analysis Engine Is...and What It Is Not (Aug 2016)
- Easing the Compliance Burden :: Sagan Technology & PCI Compliance (Feb 2016)
- JunOS/ScreenOS Vulnerability Helps to Emphasize the Importance of Remote Log Storage (Dec 2015)
- Using Sagan with Netflow data.
- Reference to Sagan rule options
External links
- About Sagan
- Official Sagan Wiki
- Sagan flowbits
- Using Sagan with Bro Intelligence feeds
- Sagan output to other SIEMs.