Sagan is an open source (GNU/GPLv2) high performance, real-time log analysis & correlation engine that run under *nix operating systems (Linux/FreeBSD/ OpenBSD/etc). It is written in C and uses a multi-threaded architecture to deliver high performance log & event analysis. Sagan's structure and rules work similarly to the Sourcefire "Snort" IDS/IPS engine. This was intentionally done to maintain compatibility with rule management software (oinkmaster/pulledpork /etc) and allows Sagan to correlate log events with your Snort IDS/IPS system. Sagan can also write to Snort IDS/IPS databases via Unified2/Barnyard2. Sagan is compatible with all Snort "consoles". For example, Sagan is will work with Snorby (http://www.snorby.org), Sguil (http://sguil.sourceforge.net), BASE, the Prelude IDS framework (https://www.prelude-ids.org) and proprietary consoles! (to name a few).
Sagan supports many different output formats, log normalization (via liblognorm), script execution on event detection, automatic firewall support via "Snortsam", GeoIP detection/alerting, multi-line log support, time sensitive alerting and much more.
The development of Sagan is sponsored by Quadrant Information Security Team.
Fore more details information, visit the Sagan Wiki.