Skip to content

Releases: quadrantsec/sagan

Sagan version 2.0.2

29 Dec 20:56
Choose a tag to compare

Sagan 2.0.2 released.

  • Fixes that allow Sagan to compile using GCC 10.

              * When Sagan finds a "correlated event" (via a "xbit" or "flexbit"),  Sagan will store
                the correlated data within the fired alert EVE.  This means you don't have to search
                for the data! 
              * Patch for Stef Roskam chaning the engine order and improve json parsing. Thanks Stef!!
              * Various minor JSON fixes.
              * Major code cleanup in processors/engine.c.  Over time,  this code had become 
                harder to maintain.  This cleanup makes the code more maintainable and 
                more efficient.  This cleanup resulted in improved preformance and better
                memory footprint.  Various other code cleanups as well to improve preformance and 
                memory footprint!
              * Allow message "mapping" to take place in the signature. For example;  
                json_map: "src_ip", ".ClientIP"
                This will map the JSON data value of ".ClientIP" to Sagan internal engine of
                "src_ip".  That is,  the ".ClientIP" will become what Sagan knows as "src_ip"
                which can then be used with other keywords (threshold, after, etc).  Removed the
                code for the "",  as this is a much more efficient way to map
                JSON data.
              * Fix issue when value is "null" in JSON 

Sagan version 2.0.1

08 Feb 17:29
Choose a tag to compare

2021/02/08 - Sagan 2.0.1 released.

            * Multiple bug fixes that address compile time issues with GCC 10. 

            * Can now compile with Google's TCMalloc (--enable-tcmalloc).  This 
              might result in less memory usage and a minor increase in performance.

            * Bug fix for "event_id" not working in certain situations.  Thanks to
              Ivan Kuncl (iku899) at Github for reporting this issue. 


            * Bug fix for segfault when running with --daemon flag.  Thanks to 
              Stef Roskam (smr1983) for reporting and patching this.


            * A lot of "cleanup" work provided by Jonas Smedegaad (jonassmedegaard). 
              This involved proper git "tagging", typo's, dirty source trees, etc. 

            * Removed unneeded pthead_mutex_locks() in bluedot.c.  This should
              cause a minor performance increase.  Also some other minor Bluedot
              performance enhancements.

            * Removed the "perfmon" function.  Use "stats-json" instead!

            * Added a "Max threads used" statistics.  This assists with properly
              tuning the number of threads in your sagan.yaml.  It displays the 
              max number of threads during the lifetime of Sagan.

            * Bypass content/pcre when syslog "message" is null. 


            * Simplified the was "client-stats" functions.  Now writes out one JSON
              object for each log source detected.   This change is also reflected in

            * Sagan now records PID on startup & minor typo's fixed. 

Sagan version 2.0.0

27 Jan 01:59
Choose a tag to compare

Quadrant Information Security ( is proud to release version 2.0.0 of the Sagan log analysis engine! Some of the major updates to this release are:

  • The Sagan repos have moved! They can now be found at:

  • New JSON parsing options (json_content, json_pcre, etc). The allows for decoding and writing rules for JSON based logs easier. See for more details.

  • Sagan EVE now stores more GeoIP information (if available). With the use of the Maxmind “city” GeoIP2 databases, Sagan will record “city”, “postal codes”, “latitude”, “longitude”, etc.

  • Statistics are now written in a JSON format similar to Suricata JSON stats. This will replace the legacy “perfmon” stats output in 2.0.1.

  • Introduction to “event_id” rule option to automagically part Windows event IDs from logs.

  • New “metadata” rule option for rules. This works the same as Suricata’s “metadata” rule options.

  • Added “normalization” data to EVE output.

  • New “append_program” rule option. This option appends the “program” field to the end of the syslog message. This can be useful when program fields are erratic and cannot be depended on.

  • Removed “Snortsam” and “Unified2” support.

  • Rewrote the way EVE files are written to better handle file rotation and automatic EVE file recreation.

  • Statistics now record “bytes_total” and “bytes_ignored”. This can be useful to determine how much data Sagan has processed.

  • New “client-stats” configuration option. This option will take a single log message every few minutes (user specified) and record it a separate file. This can be useful for providing an “example” of the types of data a host is sending.

  • Better validation of signatures upon start up.

  • A lot of stability, memory and CPU enhancements that make sure Sagan is as stable as possible.

More ChangeLog information is at: