Download the release on GitHub.
Features
Section titled “Features”Add -c as shorthand for —config
Section titled “Add -c as shorthand for —config”The long option --config, which sets an explicit path to the VAST
configuration file, now also has the short option -c.
PRs 632-726
Section titled “PRs 632-726”When a record field has the #index=hash attribute, VAST will choose an
optimized index implementation. This new index type only supports (in)equality
queries and is therefore intended to be used with opaque types, such as unique
identifiers or random strings.
Add support for Apache Arrow
Section titled “Add support for Apache Arrow”Added Apache Arrow as new export format. This allows users to export query results as Apache Arrow record batches for processing the results downstream, e.g., in Python or Spark.
By @dominiklohmann in #633.
Allow configuring pcap snapshot length
Section titled “Allow configuring pcap snapshot length”The import pcap command now takes an optional snapshot length via --snaplen.
If the snapshot length is set to snaplen, and snaplen is less than the size of a
packet that is captured, only the first snaplen bytes of that packet will be
captured and provided as packet data.
By @dominiklohmann in #642.
Add FreeBSD rc.d script
Section titled “Add FreeBSD rc.d script”On FreeBSD, a VAST installation now includes an rc.d script that simpliefies
spinning up a VAST node. CMake installs the script at PREFIX/etc/rc.d/vast.
Add Python module for submitting queries to VAST
Section titled “Add Python module for submitting queries to VAST”An experimental new Python module enables querying VAST and processing results as pyarrow tables.
Changes
Section titled “Changes”Add Python module for submitting queries to VAST
Section titled “Add Python module for submitting queries to VAST”Record field names can now be entered as quoted strings in the schema and expression languages. This lifts a restriction where JSON fields with whitespaces or special characters could not be ingested.
Minor parser changes
Section titled “Minor parser changes”Two minor modifications were done in the parsing framework: (i) the parsers for
enums and records now allow trailing separators, and (ii) the dash (-) was
removed from the allowed characters of schema type names.
Add separate interface option for import pcap
Section titled “Add separate interface option for import pcap”The import pcap command no longer takes interface names via --read,-r, but
instead from a separate option named --interface,-i. This change has been made
for consistency with other tools.
By @dominiklohmann in #641.
Switch to a calendar-based versioning scheme
Section titled “Switch to a calendar-based versioning scheme”VAST is switching to a calendar-based versioning scheme starting with this release.
By @dominiklohmann in #739.
Perform pass over build config defaults
Section titled “Perform pass over build config defaults”Build configuration defaults have been adapated for a better user experience.
Installations are now relocatable by default, which can be reverted by
configuring with --without-relocatable. Additionally, new sets of defaults
named --release and --debug (renamed from --dev-mode) have been added.
By @dominiklohmann in #695.
Bug Fixes
Section titled “Bug Fixes”Fix configuration file option parsing
Section titled “Fix configuration file option parsing”The example configuration file contained an invalid section vast. This has
been changed to the correct name system.
Fix datagram source actor not running heartbeat
Section titled “Fix datagram source actor not running heartbeat”The import process did not print statistics when importing events over UDP. Additionally, warnings about dropped UDP packets are no longer shown per packet, but rather periodically reported in a readable format.
By @dominiklohmann in #662.
Fix race in index lookup
Section titled “Fix race in index lookup”A race condition in the index logic was able to lead to incomplete or empty
result sets for vast export.
Refactor importer initialization
Section titled “Refactor importer initialization”In some cases it was possible that a source would connect to a node before it
was fully initialized, resulting in a hanging vast import process.
Ignore VLAN tags in PCAP import
Section titled “Ignore VLAN tags in PCAP import”PCAP ingestion failed for traces containing VLAN tags. VAST now strips IEEE 802.1Q headers instead of skipping VLAN-tagged packets.
Register the accountant for datagram sources
Section titled “Register the accountant for datagram sources”Importing events over UDP with vast import <format> --listen :<port>/udp
failed to register the accountant component. This caused an unexpected message
warning to be printed on startup and resulted in losing import statistics. VAST
now correctly registers the accountant.
By @dominiklohmann in #655.
Add Python module for submitting queries to VAST
Section titled “Add Python module for submitting queries to VAST”A bug in the quoted string parser caused a parsing failure if an escape character occurred in the last position.