Installing Sagan - Snorby/snorby GitHub Wiki
Quick Note: The latest install instructions can always be found here: https://wiki.quadrantsec.com/bin/view/Main/SaganInstall
Use apt to download libpcre (required by Sagan) and dumbnet (required for unified2 logging, so required for use with Snorby).
apt-get install libpcre3-dev libpcre3 libdumbnet1 libdumbnet-dev
Depending upon if you're using mysql or postgres, you'll run sudo apt-get install libmysqlclient15-dev or sudo apt-get install postgresql-server-dev-8.4, respectively.
The Sagan team suggests using liblognorm. While they state it's available for Debian through apt, the suggested method is using git.
If you decide to install this, you'll need to run the following command for the command snippet that follows in this section:
sudo apt-get install autoconf
Here's from the liblognorm website (https://wiki.quadrantsec.com/bin/view/Main/LibLogNorm, which was taken from http://www.liblognorm.com/help/first-steps-using-liblognorm/):
In order to install from the 'git' resource, open a terminal and enter these commands in this order:
git clone git://git.adiscon.com/git/libestr.git cd libestr autoreconf -vfi ./configure --libdir=/usr/lib --includedir=/usr/include make sudo make install cd .. # Now one to libee git clone git://git.adiscon.com/git/libee.git cd libee autoreconf -vfi ./configure --libdir=/usr/lib --includedir=/usr/include make sudo make install cd .. # Now on to liblognorm git clone git://git.adiscon.com/git/liblognorm.git cd liblognorm autoreconf -vfi ./configure --libdir=/usr/lib --includedir=/usr/include make sudo make install
Download the latest from http://sagan.softwink.com/download/ (this should be http://sagan.softwink.com/download/sagan-current.tar.gz).
Run
tar -zxvf sagan-current.tar.gz && cd sagan-0.2.0/
Sagan tries to compile with all options. Snorby supports emailing and I don't see the point in doubling up email, so we'll use the --disable-esmtp flag. For the moment, we're not using Prelude, so we'll disable it with the --disable-prelude flag.
If you're using mysql for the database, type:
./configure --disable-esmtp --disable-postgresql --disable-prelude && make && sudo make install
If you're using postgres for the database, type:
./configure --disable-esmtp --disable-mysql --disable-prelude && make && sudo make install
If you're using the preferred barnyard2 method, locate Sagan's configuration file( should be located at /usr/local/etc/sagan.conf). Find the line that says
output unified2: filename sagan.u2, limit 128and uncomment it.
If you did not decide to use barnyard2, use the same Sagan config file and use the following lines with your own information:
sagan_hostname sagan sagan_interface syslog sagan_filter none sagan_detail 1 output database: log, mysql, user=sagan password=secret dbname=snorby host=localhost