Simply using Sagan on your laptop or workstation.....

When I say, "simply", I mean running Sagan in it's most basic way. In this short article, we're not going to touch the bell's and whistles of Sagan. Rather, we're going for the good old KISS (Keep It Simple Stupid) model. This means Sagan will not be using a Snort database back end or the correlation engine. We simple want Sagan to tell us, on our worstation, via a "pop up window" when it see's something "bad" happening.

Something "bad" could be a multitude of things. A short list might be:

  • Hardware failure (ie - hard drive)
  • Kernel issues (panic, etc)
  • Some one or something attempting to access your workstation or laptop remotely.

Once nice thing about running Sagan in this mode, is the efficiency. Sagan was written to be a lean, mean, log analysis machine. This means that Sagan typically only uses a couple of megabytes of memory and very little CPU. While Sagan was built this way to handle high amounts of traffic efficiently, it also works very well on systems that don't see large amounts of log traffic. Since we're using the KISS model for this article, compilation and configuration is pretty simple.

First off, you'll want to download the latest and greatest version of Sagan. This can be found at You'll want to grab the "sagan-current.tar.gz", which is a symbolic link to the latest and greatest releast. Once you've downloaded it, simple untar/gzip it.

$ tar -zxvpf sagan-current.tar.gz
$ cd sagan-{version}  

For more details instructions you can read the SaganHOWTO. The only output plugin we'll be using it the "external" one, which has no external dependencies. With this in mind, there's no need to compile in MySQL and PostgreSQL support. So we compile Sagan with the most simple options:

$ ./configure --disable-mysql --disable-postgresql --disable-esmtp  

Basically, Sagan will be built with the bare bones. Nothing fancy, no bells - no whistles... Once the ./configure process is done, type:

$ make
$ sudo make install
This will install Sagan system wide your system. Typically, this is in the /usr/local/bin directory.
Topic revision: r1 - 2010-08-30 - ChampClark
This site is powered by the TWiki collaboration platform Powered by PerlCopyright © 2008-2019 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback