Sagan User Guide

• 1. What is Sagan?
  • 1.1. License
• 2. Installation
  • 2.1. libpcre (Regular Expressions)
  • 2.2. libyaml (YAML configuration files)
  • 2.3. Other dependencies
  • 2.4. liblognorm (Normalization)
  • 2.5. libfastjson (JSON)
  • 2.6. libesmtp (SMTP)
  • 2.7. libmaxminddb (GeoIP)
  • 2.8. hiredis (Redis)
  • 2.9. libpcap (Sniffing logs)
• 3. Compiling Sagan
  • 3.1. Quick start from source
  • 3.2. A more complete quick start
  • 3.3. Prerequisites
  • 3.4. Common configure options
  • 3.5. Post-installation setup and testing
• 4. Syslog Configuration
  • 4.1. rsyslog - “pipe” mode
  • 4.2. rsyslog - JSON mode
  • 4.3. syslog-ng - “pipe” mode
  • 4.4. syslog-ng - JSON mode
  • 4.5. nxlog
  • 4.6. other sources
• 5. Sagan Configuration
  • 5.1. Sagan with JSON input
• 6. vars
• 7. sagan-core
  • 7.1. core
  • 7.2. parse_ip
  • 7.3. selector
  • 7.4. redis-server (experimental)
  • 7.5. mmap-ipc
  • 7.6. ignore_list
  • 7.7. liblognorm
  • 7.8. plog
• 8. processors
  • 8.1. track-clients
  • 8.2. rule-tracking
  • 8.3. perfmonitor
  • 8.4. blacklist
  • 8.5. bluedot
  • 8.6. zeek-intel (formally “bro-intel”)
  • 8.7. dynamic-load
• 9. outputs
  • 9.1. eve-log
  • 9.2. alert
  • 9.3. fast
  • 9.4. smtp
  • 9.5. syslog
• 10. rule-files
• 11. Rule syntax
• 12. Rule Keywords
  • 12.1. after
  • 12.2. alert_time
  • 12.3. append_program
  • 12.4. blacklist
  • 12.5. bluedot
  • 12.6. classtype
  • 12.7. content
  • 12.8. country_code
  • 12.9. default_proto
  • 12.10. default_dst_port
  • 12.11. default_src_port
  • 12.12. depth
  • 12.13. distance
  • 12.14. dynamic_load
  • 12.15. email
  • 12.16. event_id
  • 12.17. external
  • 12.18. syslog_facility
  • 12.19. flexbits
  • 12.20. flexbits_pause
  • 12.21. json_content
  • 12.22. json_nocase
  • 12.23. json_contains
  • 12.24. json_pcre
  • 12.25. json_meta_content
  • 12.26. json_meta_nocase
  • 12.27. json_meta_contains
  • 12.28. syslog_level
  • 12.29. meta_content
  • 12.30. meta_depth
  • 12.31. meta_distance
  • 12.32. meta_offset
  • 12.33. meta_nocase
  • 12.34. meta_within
  • 12.35. msg
  • 12.36. nocase
  • 12.37. normalize
  • 12.38. offset
  • 12.39. parse_dst_ip
  • 12.40. parse_port
  • 12.41. parse_proto
  • 12.42. parse_proto_program
  • 12.43. parse_hash
  • 12.44. parse_src_ip
  • 12.45. pcre
  • 12.46. priority
  • 12.47. program
  • 12.48. reference
  • 12.49. rev
  • 12.50. sid
  • 12.51. syslog_tag
  • 12.52. threshold
  • 12.53. within
  • 12.54. xbits
  • 12.55. xbits_pause
  • 12.56. xbits_upause
  • 12.57. zeek-intel
• 13. Sagan Peek
  • 13.1. What is “saganpeek”
  • 13.2. Building “saganpeek”
• 14. Sagan & JSON
  • 14.1. Why JSON?
  • 14.2. Different method of JSON input
  • 14.3. JSON “mapping”
  • 14.4. How JSON nest are processed
  • 14.5. When mapping is not needed
  • 14.6. Mappable JSON Fields
  • 14.7. JSON via named pipe (FIFO)
  • 14.8. JSON via syslog message field
• 15. Journald
  • 15.1. What is “journald”?
  • 15.2. Analyzing journald logs locally
  • 15.3. Analyzing journald logs remotely
• 16. High Performance Considerations
  • 16.1. batch-size
  • 16.2. Rule sets
  • 16.3. Rule order of execution
• 17. Contributing & Coding Style
  • 17.1. How to contribute to Sagan
  • 17.2. Coding guidelines and style
• 18. Sagan Blogs
  • 18.1. Dynamic Rules with Sagan.
  • 18.2. What the Sagan Log Analysis Engine Is… and What It Is Not.
  • 18.3. Sagan 1.0.0 log analysis engine released!
  • 18.4. Sagan output to other SIEMs
  • 18.5. Sagan Flowbit
• 19. Articles about Sagan
  • 19.1. Reading
  • 19.2. Audio/Video
  • 19.3. Presentations/Papers
• 20. Getting help
• 21. TODO