Rules are in /usr/local/etc/sagan and are editable.
For security, sudo only works to start rsyslog and sagan.
Designed to be used with the ISLET training system.
demo@sagan:~$ sudo service rsyslog start
demo@sagan:~$ sudo sagan -D
demo@sagan:~$ cat /var/log/sagan/alert
[**] [1:5000133] [SU] Successful sudo to ROOT executed [**]
[Classification: successful-admin] [Priority: 1]
2014-12-05 01:06:42 192.168.0.1:514 -> 192.168.0.1:514 authpriv notice
Message: demo : TTY=console ; PWD=/home/demo ; USER=root ;
[Xref => http://wiki.quadrantsec.com/bin/view/Main/5000133]