The high performance, multi-threaded log analysis engine.
Sagan is an open source (GNU/GPLv2) high performance, real-time log analysis & correlation engine that run under *nix operating systems (Linux/FreeBSD/ OpenBSD/etc). It is written in C and uses a multi-threaded architecture to deliver high performance log & event analysis. Sagan's structure and rules work similarly to the Sourcefire "Snort" IDS/IPS engine. This was intentionally done to maintain compatibility with rule management software (oinkmaster/pulledpork /etc) and allows Sagan to correlate log events with your Snort IDS/IPS system. Sagan can also write to Snort IDS/IPS databases via Unified2/Barnyard2. Sagan is compatible with all Snort "consoles". For example, Sagan is will work with Snorby (http://www.snorby.org), Sguil (http://sguil.sourceforge.net), BASE, the Prelude IDS framework (https://www.prelude-ids.org) and proprietary consoles! (to name a few).
Sagan supports many different output formats, log normalization (via liblognorm), script execution on event detection, automatic firewall support via "Snortsam" and much more.
Fore more details information, visit the Sagan Wiki.