Sagan uses a 'Snort like' engine and rules to analyze logs (syslog/event log/snmptrap/netflow/etc)
C M4 Perl Assembly Shell Makefile Other
Latest commit a67fa9a Mar 23, 2017 Champ Clark III Credits update for @3vilJohn


Welcome to the README file

What is Sagan? 

Sagan is an open source (GNU/GPLv2) high performance, real-time log 
analysis & correlation engine.  It is written in C and uses a 
multi-threaded architecture to deliver high performance log & event 
analysis. The Sagan structure and Sagan rules work similarly to the 
Sourcefire "Snort" IDS engine. This was intentionally done to maintain 
compatibility with rule management software (oinkmaster/pulledpork/etc)
and allows Sagan to correlate log events with your Snort IDS/IPS 
system. Since Sagan can write to Snort IDS/IPS databases via 
unified2/barnyard2, it is compatible with all Snort "consoles". 
For example, Sagan is compatible with Snorby [],
Sguil [], BASE, and the Prelude IDS 
framework! (to name a few).

Sagan supports many different output formats,  log normalization 
(via liblognorm),  GeoIP detection, script execution on event and
automatic firewall support via "Snortsam" 

Sagan uses the GNU "artisic style". 

For more information, please visit the Sagan web site: 

If you're looking for Sagan rules on Github,  they are located at: