Download the release on GitHub.
Features
Section titled “Features”Use heterogenous lookup for hash index
Section titled “Use heterogenous lookup for hash index”The hash index has been re-enabled after it was outfitted with a new high-performance hash map implementation that increased performance to the point where it is on par with the regular index.
Require end-of-input to be reached for range-based parser invocations
Section titled “Require end-of-input to be reached for range-based parser invocations”An under-the-hood change to our parser-combinator framework makes sure that we do not discard possibly invalid input data up the the end of input. This uncovered a bug in our MRT/bgpdump integrations, which have thus been disabled (for now), and will be fixed at a later point in time.
By @dominiklohmann in #808.
Fix user shutdown handling for continuous exports
Section titled “Fix user shutdown handling for continuous exports”Continuous export processes can now be stopped correctly. Before this change, the node showed an error message and the exporting process exited with a non-zero exit code.
By @dominiklohmann in #779.
Implement reader for Syslog RFC5424
Section titled “Implement reader for Syslog RFC5424”The new vast import syslog command allows importing Syslog messages as defined
in RFC5424.
By @knapperzbusch in #770.
Remove -c short option for setting config file
Section titled “Remove -c short option for setting config file”The short option -c for setting the configuration file has been removed. The
long option --config must now be used instead. This fixed a bug that did not
allow for -c to be used for continuous exports.
By @dominiklohmann in #781.
Allow disabling Community ID computation for PCAPs
Section titled “Allow disabling Community ID computation for PCAPs”The option --disable-community-id has been added to the vast import pcap
command for disabling the automatic computation of Community IDs.
By @dominiklohmann in #777.
Require expressions to be parsed to end-of-input
Section titled “Require expressions to be parsed to end-of-input”Expressions must now be parsed to the end of input. This fixes a bug that caused
malformed queries to be evaluated until the parser failed. For example, the
query #type == "suricata.http" && .dest_port == 80 was erroneously evaluated
as #type == "suricata.http" instead.
By @dominiklohmann in #791.
Changes
Section titled “Changes”Rename vast.account event type to vast.statistics
Section titled “Rename vast.account event type to vast.statistics”The internal statistics event type vast.account has been renamed to
vast.statistics for clarity.
By @dominiklohmann in #789.
Add timestamp attribute to statistics ts field
Section titled “Add timestamp attribute to statistics ts field”The config option system.log-directory was deprecated and replaced by the new
option system.log-file. All logs will now be written to a single file.
Restrict log file creation to ‘vast start’
Section titled “Restrict log file creation to ‘vast start’”The log folder vast.log/ in the current directory will not be created by
default any more. Users must explicitly set the system.file-verbosity option
if they wish to keep the old behavior.
Introduce the VERBOSE log level
Section titled “Introduce the VERBOSE log level”The VERBOSE log level has been added between INFO and DEBUG. This level is enabled at build time for all build types, making it possible to get more detailed logging output from release builds.
Replace ‘caf#’ prefix for CAF options with ‘caf.’
Section titled “Replace ‘caf#’ prefix for CAF options with ‘caf.’”The command line options prefix for changing CAF options was changed from
--caf# to --caf..
By @dominiklohmann in #797.