The high performance, multi-threaded log analysis engine.

Twitter: @dabeave666

What is Sagan?

Sagan is an open source (GNU/GPLv2) high performance, real-time log analysis & correlation engine that run under *nix operating systems (Linux/FreeBSD/OpenBSD/etc). It is written in C and uses a multi-threaded architecture to deliver high performance log & event analysis. Sagan's structure and rules work similarly to the Sourcefire/Cisco"Snort" IDS/IPS engine. This was intentionally done to maintain compatibility with rule management software (oinkmaster/pulledpork /etc) and allows Sagan to correlate log events with your Snort IDS/IPS system. Sagan can also write to Snort IDS/IPS databases via Unified2/Barnyard2. Sagan is compatible with all Snort "consoles". For example, Sagan is will work with Snorby (, Sguil (, BASE, the Prelude IDS framework ( and proprietary consoles! (to name a few).

Sagan supports many different output formats, log normalization (via liblognorm), script execution on event detection, automatic firewall support via "Snortsam", GeoIP detection/alerting, multi-line log support (flowbit), time sensitive alerting and much more.

The development of Sagan is sponsored by Quadrant Information Security Team. Sagan is included with the SmoothSec security Linux distribution.

Fore more details information, visit the Sagan Wiki.

Sagan News

  • [02/20/2015] - Sagan get "Bro Inteligence framework" support. Check out our blog post Using Sagan with Bro Intelligence Feeds.
  • [10/07/2014] - Sagan version 1.0.0RC4 released! See the Change Log for details on bugs & improvements!
  • [06/17/2014] - Sagan version 1.0.0RC3 released! See the Change Log for details on bugs & improvements!
  • [06/17/2014] - Blog posting on "Pass the hash" (PTH) detection with Sagan.
  • [04/12/2014] Sagan version 1.0.0RC2 released! See the Change Log for details on bugs & improvements! New rules also released!
  • [03/28/2014] How Sagan integrates with Websense Threatseeker to detect anomalies through log analysis.
  • [02/03/2014] Sagan version 1.0.0RC1 released! New rules also released!
  • [12/10/2013] Champ Clark, the primary author of Sagan, will be on PaulDotCom Security Weekly on 12/12/13! Listen live if you can, or download the archive of the show! [MP3 of the interview can be found here].
  • [11/16/2013] Sagan version 0.3.1 is getting close to being released! Country tracking, "flowbit" (multi-line logs) support added and much more. Help us test Sagan via &
  • [04/30/2013] Sagan version 0.3.0 released! Release information is here.