Sagan uses a 'Snort like' engine and rules to analyze logs (syslog/event log/snmptrap/netflow/etc)
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.


Welcome to the README file.

What is Sagan? 

Sagan is an open source (GNU/GPLv2) high performance, real-time log 
analysis & correlation engine.  It is written in C and uses a 
multi-threaded architecture to deliver high performance log & event 
analysis. The Sagan structure and Sagan rules work similarly to the 
Sourcefire "Snort" IDS engine. This was intentionally done to maintain 
compatibility with rule management software (oinkmaster/pulledpork/etc)
and allows Sagan to correlate log events with your Snort IDS/IPS 
system. Since Sagan can write to Snort IDS/IPS databases via 
unified2/barnyard2, it is compatible with all Snort "consoles". 
For example, Sagan is compatible with Snorby [],
Sguil [], BASE, and the Prelude IDS 
framework! (to name a few).

Sagan supports many different output formats,  log normalization 
(via liblognorm),  GeoIP detection, script execution on event and
automatic firewall support via "Snortsam" 

Sagan uses the GNU "artisic style". 

For more information, please visit the Sagan web site: 

If you're looking for Sagan rules on Github,  they are located at: