Sagan 0.3.0 at Github.
7 views
Skip to first unread message
Champ Clark III
Dec 5, 2012, 10:36:29 AM12/5/12
to sagan...@googlegroups.com, saga...@googlegroups.com
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
If you are using the development branch of Sagan located on Github,
you'll likely want to refresh. I've up pushed Sagan version
0.3.0-git and this version has a lot of change from Sagan 0.2.3.
First off, the primary Sagan engine (for rules) is now multi-CPU
aware. With versions prior to 0.3.0, the engine (which is used for
rule matching) could only utilize one CPU/core. Sagan 0.3.0 changes
this, and allows the engine to split the load across all multiple
CPU/cores. In our tests with high volume logs, we've seen a
tremendous benefit. This means Sagan can handle a lot more log lines
per/second.
The more CPU/cores you have, the more log lines you can analyze in
real time. I don't know of any open source log analyzers that do
this. We also made some performance tweaks in this release and back
ported them to Sagn 0.2.3 that increased performance 20-30% in our tests.
Lastly, we've added the concept of "processors" into Sagan. What
"processors" allow Sagan to do is process logs outside of the
"sagan-engine.c" (rule matching). We plan on using "processors" to do
big things with Sagan in the future. A simple example known as
"sagan-track-client" processor is already in 0.3.0. This simple
processor monitors the state of incoming logs. If a system stops
reporting logs X amount of time, an alert is created. If it starts
sending logs again, another alert is created.
As usual, this is still pretty beta code. Please let me know if you
have any questions.
- --
- - Champ Clark III (ccl...@quadrantsec.com)
Quadrant Information Security (http://quadrantsec.com)
Key Fingerprint: 2E56 C2EB 1B25 C517 D5BA 2DCF 5E70 B2F8 0381 878A
GPG Key ID: 0381878A
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with undefined - http://www.enigmail.net/
iQEcBAEBAgAGBQJQv2n8AAoJENnmXt7Lmc3KujMH/1a/1kbOO5NBbbmswcI/HOWl
UgnE9Ik1hORxmXTawFy38gmxledu47lsoFaerc38lGRmVPQ8ty3xtlafTOxgg3Cq
yfieA8nbpVjdSO6uABmKM9zEyhE7bugZ4PiDoVd6PyodRf73nudn10mxRaBGvQkG
xQrzyBJ4KSmYs0fVPh2iUBWKq8aTzwt+bFbb//K6VhGV2Q5DwkTxT+7H3aUTxome
FKrGtjs6YGFJP41atbZw7GunWZjXPoKqontFPl9XZlHVwXykcYsqFCkn8IMLznsH
UsfF2A20YOk0yW0LtjVPROikIsQk0A+chtUEmb8g7oFD7AdhdxaG5rR5AFhnZc0=
=1zaG
-----END PGP SIGNATURE-----
Hash: SHA1
If you are using the development branch of Sagan located on Github,
you'll likely want to refresh. I've up pushed Sagan version
0.3.0-git and this version has a lot of change from Sagan 0.2.3.
First off, the primary Sagan engine (for rules) is now multi-CPU
aware. With versions prior to 0.3.0, the engine (which is used for
rule matching) could only utilize one CPU/core. Sagan 0.3.0 changes
this, and allows the engine to split the load across all multiple
CPU/cores. In our tests with high volume logs, we've seen a
tremendous benefit. This means Sagan can handle a lot more log lines
per/second.
The more CPU/cores you have, the more log lines you can analyze in
real time. I don't know of any open source log analyzers that do
this. We also made some performance tweaks in this release and back
ported them to Sagn 0.2.3 that increased performance 20-30% in our tests.
Lastly, we've added the concept of "processors" into Sagan. What
"processors" allow Sagan to do is process logs outside of the
"sagan-engine.c" (rule matching). We plan on using "processors" to do
big things with Sagan in the future. A simple example known as
"sagan-track-client" processor is already in 0.3.0. This simple
processor monitors the state of incoming logs. If a system stops
reporting logs X amount of time, an alert is created. If it starts
sending logs again, another alert is created.
As usual, this is still pretty beta code. Please let me know if you
have any questions.
- --
- - Champ Clark III (ccl...@quadrantsec.com)
Quadrant Information Security (http://quadrantsec.com)
Key Fingerprint: 2E56 C2EB 1B25 C517 D5BA 2DCF 5E70 B2F8 0381 878A
GPG Key ID: 0381878A
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with undefined - http://www.enigmail.net/
iQEcBAEBAgAGBQJQv2n8AAoJENnmXt7Lmc3KujMH/1a/1kbOO5NBbbmswcI/HOWl
UgnE9Ik1hORxmXTawFy38gmxledu47lsoFaerc38lGRmVPQ8ty3xtlafTOxgg3Cq
yfieA8nbpVjdSO6uABmKM9zEyhE7bugZ4PiDoVd6PyodRf73nudn10mxRaBGvQkG
xQrzyBJ4KSmYs0fVPh2iUBWKq8aTzwt+bFbb//K6VhGV2Q5DwkTxT+7H3aUTxome
FKrGtjs6YGFJP41atbZw7GunWZjXPoKqontFPl9XZlHVwXykcYsqFCkn8IMLznsH
UsfF2A20YOk0yW0LtjVPROikIsQk0A+chtUEmb8g7oFD7AdhdxaG5rR5AFhnZc0=
=1zaG
-----END PGP SIGNATURE-----
Reply all
Reply to author
Forward
0 new messages