Sagan Real-Time Log/Event Monitoring & Correlation presented at Berlinsides 2010

by Beave ,

Tags: Monitoring


Summary : When your network is being attacked, you need all the information you can in order to protect yourself. IDS/IPS (Intrusion Detection/Intrusion Prevention Systems), like "Snort" are great. However, you might only be seeing half of the picture. Today, almost every device you put on your network has the ability to "log" (syslog/snmp-traps) information. This means that during an attack, you might have thousands of logs that might contain vital information. If you're not actively monitoring these logs, you’re missing a lot of potential attack data. Sagan' is a new, open source way of dealing with logs. Rather than Sagan storing events into 'yet another database', it can store events into your Snort or Prelude database back end. This means that your Intrusion Detection/Prevention (IDS/IPS) system(s) data (packet level) and log data are in the same place. This means you can have a single console to view events (think BASE, Snorby or Prelude). Sagan will attempt to correlate your packet level alerts (Snort) with your log level events. Not a Snort user? That's okay since Sagan support multiple output formats that any network administrator will find useful. For more information, please see: