DESCRIPTIONThis manual page documents briefly the sagan command.
sagan is a multi-threaded, real time system- and event-log monitoring
system, but with a twist. Sagan uses a “Snort” like rule set for
detecting malicious events happening on your network and/or computer
If Sagan detects a potentially bad event, that event can be stored to a Snort database (MySQL/PostgreSQL), send it to a SIEM tool like Prelude, or send an email.
Sagan is meant to be used in a ‘centralized’ logging environment, but will work fine as part of a standalone Host IDS system for workstations.
OPTIONSThese programs follow the usual GNU command line syntax, with long options starting with two dashes (`-'). A summary of options is included below.
- -h, --help
- Show summary of options.
- -d, --debug
- Enable debugging
- -D, --daemon
- Make process a daemon (fork to the background)
- -U, --user
- Run as user (defaults to 'sagan')
- -c, --chroot
- Chroot to username 'sagan's home
- -f, --config
- Sagan configuration file to load
- -p, --program
- Run Sagan in syslog-ng's 'program' mode