Quadrant Information Security (
https://quadrantsec.com) is proud to release version 2.0.0 of the Sagan log analysis engine! Some of the major updates to this release are:
* The Sagan repos have moved! They can now be found at:
* Sagan EVE now stores more GeoIP information (if available). With the use of the Maxmind “city” GeoIP2 databases, Sagan will record “city”, “postal codes”, “latitude”, “longitude”, etc.
* Statistics are now written in a JSON format similar to Suricata JSON stats. This will replace the legacy “perfmon” stats output in 2.0.1.
* Introduction to “event_id” rule option to automagically part Windows event IDs from logs.
* New “metadata” rule option for rules. This works the same as Suricata’s “metadata” rule options.
* Added “normalization” data to EVE output.
* New “append_program” rule option. This option appends the “program” field to the end of the syslog message. This can be useful when program fields are erratic and cannot be depended on.
* Removed “Snortsam” and “Unified2” support.
* Rewrote the way EVE files are written to better handle file rotation and automatic EVE file recreation.
* Statistics now record “bytes_total” and “bytes_ignored”. This can be useful to determine how much data Sagan has processed.
* New “client-stats” configuration option. This option will take a single log message every few minutes (user specified) and record it a separate file. This can be useful for providing an “example” of the types of data a host is sending.
* Better validation of signatures upon start up.
* A lot of stability, memory and CPU enhancements that make sure Sagan is as stable as possible.