Sagan 2.0.0 release.

[Da Beave]

Quadrant Information Security (https://quadrantsec.com) is proud to release version 2.0.0 of the Sagan log analysis engine!   Some of the major updates to this release are:

            * The Sagan repos have moved!  They can now be found at:

            https://github.com/quadrantsec/sagan

            https://github.com/quadrantsec/sagan-rules

            * New JSON parsing options (json_content, json_pcre, etc).   The allows for decoding and writing rules for JSON based logs easier.   See https://sagan.readthedocs.io/en/latest/sagan-json.html#sagan-json for more details.

            * Sagan EVE now stores more GeoIP information (if available).   With the use of the Maxmind “city” GeoIP2 databases,  Sagan will record “city”, “postal codes”, “latitude”, “longitude”, etc. 

            * Statistics are now written in a JSON format similar to Suricata JSON stats.  This will replace the legacy “perfmon” stats output in 2.0.1.

            * Introduction to “event_id” rule option to automagically part Windows event IDs from logs.

            * New “metadata” rule option for rules.  This works the same as Suricata’s “metadata” rule options. 

            * Added “normalization” data to EVE output. 

            * New “append_program” rule option.  This option appends the “program” field to the end of the syslog message.  This can be useful when program fields are erratic and cannot be depended on.

            * Removed “Snortsam” and “Unified2” support. 

            * Rewrote the way EVE files are written to better handle file rotation and automatic EVE file recreation.

            * Statistics now record “bytes_total” and “bytes_ignored”.  This can be useful to determine how much data Sagan has processed.

            * New “client-stats” configuration option.  This option will take a single log message every few minutes (user specified) and record it a separate file.   This can be useful for providing an “example” of the types of data a host is sending. 

            * Better validation of signatures upon start up. 

            * A lot of stability, memory and CPU enhancements that make sure Sagan is as stable as possible. 

More ChangeLog information is at: https://github.com/quadrantsec/sagan/blob/main/ChangeLog