VAST v3.1 is out. This is a small checkpointing release that brings a few new changes and fixes.
The old pipeline execution engine is now gone and we updated VAST to use
the new engine everywhere. Most notably this applies to the
the compaction engine, and the
query REST interface.
For this release, we removed support for configuration level export and import pipelines. This feature will make a return in the next major release.
We also removed the deprecated YAML-based pipeline syntax to fully concentrate on the VAST Language.
We introduced several new operators:
tail: limits the input to the last N events.
unique: removes adjacent duplicates
measure: replaces the input with incremental metrics describing the input.
version: returns a single event displaying version information of VAST. (Now
from: produces events by combining a connector and a format.
read: a short form of
fromthat allows for omitting the connector.
to: consumes events by combining a connector and format.
write: a short form of
tothat allows for omitting the connector.
extend operators have been updated to
work with selectors and extractors. Check out the growing list of
You can now define aliases for operators in the configuration file. Use it to assign a short and reusable name for operators that would otherwise require several arguments. For example:
Now use it like a regular operator in a pipeline:
from file read suricata | aggregate_flows
Improved IPv6 Subnet Handling
The handling of subnets in the IPv6 space received multiple fixes:
- The expression
:ip !in ::ffff:0:0/96now finds all events that contain IPs that cannot be represented as IPv4 addresses.
- Subnets with a prefix above 32 are now correctly formatted with an IPv6 network part, even if the address is representable as IPv4.
A More Resilient Systemd Service
The systemd unit for VAST now automatically restarts the node in case the process went down.