This repository contains automated deployment scripts for setting up a test environment with Sagan log analysis engine and Suricata IDS on Azure using Terraform and Ansible. The environment is designed for testing security rules and can be easily deployed and torn down to minimize costs.
- π§ Automated Infrastructure: One-command deployment and teardown
- π‘οΈ Security Tools: Pre-configured Sagan and Suricata installations
- π Rule Management: Includes Quadrant Security's Sagan rules repository
- π° Cost Efficient: Easy teardown to avoid ongoing charges
- π Secure: SSH key authentication, dedicated users, network security groups
Before using this repository, you need to install and configure the following tools:
Ubuntu/Debian:
curl -sL https://aka.ms/InstallAzureCLIDeb | sudo bashWindows: Download and install from: https://aka.ms/installazurecliwindows
macOS:
brew install azure-cliVerify installation:
az --versionLogin to Azure:
az loginUbuntu/Debian:
wget -O- https://apt.releases.hashicorp.com/gpg | sudo gpg --dearmor -o /usr/share/keyrings/hashicorp-archive-keyring.gpg
echo "deb [signed-by=/usr/share/keyrings/hashicorp-archive-keyring.gpg] https://apt.releases.hashicorp.com $(lsb_release -cs) main" | sudo tee /etc/apt/sources.list.d/hashicorp.list
sudo apt update && sudo apt install terraformWindows: Download from: https://releases.hashicorp.com/terraform/
macOS:
brew install terraformAlternative (any platform):
# Download manually
wget https://releases.hashicorp.com/terraform/1.6.6/terraform_1.6.6_linux_amd64.zip
unzip terraform_1.6.6_linux_amd64.zip
sudo mv terraform /usr/local/bin/Verify installation:
terraform versionInstall Python dependencies:
# Install Python 3 and pip (if not already installed)
sudo apt update
sudo apt install python3 python3-pip
# Install required Python packages
pip3 install -r requirements.txtVerify Ansible installation:
ansible-playbook --versionGenerate an SSH key pair for VM access:
ssh-keygen -t rsa -b 4096 -f ~/.ssh/id_rsagit clone https://github.com/schlangens/azure-sagan/
cd azure-sagan./scripts/deploy.shThe script will:
- Create Azure VM with Debian 11
- Install and configure Sagan log analysis engine
- Install and configure Suricata IDS
- Clone the latest Quadrant Security rules
- Test both services
- Display SSH connection details
# Use the IP address provided by the deployment script
ssh saganadmin@<PUBLIC_IP># Check service status
sudo systemctl status sagan
sudo systemctl status suricata
# View logs
sudo tail -f /var/log/sagan/sagan.log
sudo tail -f /var/log/suricata/fast.log./scripts/teardown.shazure-sagan/
βββ terraform/
β βββ main.tf # Azure infrastructure definition
βββ ansible/
β βββ inventory.yml # Ansible inventory configuration
β βββ playbooks/
β β βββ setup-system.yml # System updates and base configuration
β β βββ install-sagan.yml # Sagan installation and configuration
β β βββ install-suricata.yml# Suricata installation and configuration
β β βββ test-services.yml # Service testing and validation
β βββ templates/
β βββ sagan.yaml.j2 # Sagan configuration template
β βββ sagan.service.j2 # Sagan systemd service template
β βββ suricata.service.j2 # Suricata systemd service template
βββ scripts/
β βββ deploy.sh # Automated deployment script
β βββ teardown.sh # Environment destruction script
βββ requirements.txt # Python dependencies
βββ CONTRIBUTING.md # Contribution guidelines
βββ README.md # This file
- Configuration:
/etc/sagan/- Main config:
/etc/sagan/sagan.yaml
- Main config:
- Rules:
/opt/sagan-rules/(Quadrant Security repository) - Logs:
/var/log/sagan/- Main log:
/var/log/sagan/sagan.log
- Main log:
- Runtime:
/var/run/sagan/ - Data:
/var/lib/sagan/ - Binary:
/usr/bin/sagan
- Configuration:
/etc/suricata/- Main config:
/etc/suricata/suricata.yaml
- Main config:
- Rules:
/etc/suricata/rules/- Test rules:
/etc/suricata/rules/test.rules - Downloaded rules:
/var/lib/suricata/rules/
- Test rules:
- Logs:
/var/log/suricata/- Fast log:
/var/log/suricata/fast.log - EVE log:
/var/log/suricata/eve.json
- Fast log:
- Runtime:
/var/run/suricata/ - Data:
/var/lib/suricata/ - Binary:
/usr/bin/suricata
- Located at
/etc/sagan/sagan.yaml - Listens on UDP port 514 for syslog messages
- Uses rules from
/opt/sagan-rules/ - Outputs to file and syslog
- Located at
/etc/suricata/suricata.yaml - Monitors all network interfaces
- Includes test rules for basic traffic detection
- Outputs to fast.log and eve.json
sudo systemctl status sagan
sudo systemctl status suricatasudo journalctl -u sagan -f
sudo journalctl -u suricata -fsudo systemctl restart sagan
sudo systemctl restart suricata# Check Sagan configuration (if available)
sudo sagan -T -f /etc/sagan/sagan.yaml
# Check Suricata configuration
sudo suricata -T -c /etc/suricata/suricata.yamlAzure Authentication:
az login
az account showSSH Connection Issues:
- Ensure your public IP is correct
- Check that port 22 is open in the security group
- Verify SSH key permissions:
chmod 600 ~/.ssh/id_rsa
Service Start Issues:
- Check configuration file syntax
- Verify user permissions on directories
- Review service logs for specific errors
Estimated Costs:
- Standard_B2s VM: ~$30-60/month if left running
- Standard SKU Public IP: ~$3-5/month
- Storage and networking: ~$5-10/month
Cost Savings Tips:
- Always use the teardown script when finished
- Consider using smaller VM sizes for basic testing
- Monitor usage with
az account get-access-tokenand Azure Cost Management
- VM uses SSH key authentication only (no passwords)
- Services run under dedicated users (
saganandsuricata) - Network security group restricts access to SSH (port 22) only
- All sensitive data should be removed before committing to public repositories
- Fork the repository
- Create a feature branch
- Make your changes
- Test deployment and teardown
- Submit a pull request
This project is provided as-is for educational and testing purposes. Please review and comply with the licenses of the included security tools (Sagan and Suricata) and rule sets.
For issues related to:
- Sagan: Visit Quadrant Security's Sagan repository
- Suricata: Visit Suricata's official documentation
- This automation: Open an issue in this repository