Sagan works very similar to Intrusion Detection System (IDS) engines like Snort and Suricata. However, rather than analyzing network packets, Sagan analyzes logs for malicious activity. Due to Sagan’s multi-threaded nature, the analysis, detection, and correlation is done in 100% real time. Champ Clark III and his team have been working hard to develop and support Sagan since 2010 in efforts to release the best open source (GNU/GPLv2) log analysis engine in the space. The log analysis engine is primarily met to run on Linux systems.