VAST 2020.09.30

Download the release on GitHub.

Features

Restructure vast status

The output of the status command was restructured with a strong focus on usability. The new flags --detailed and --debug add additional content to the output.

By @tobim in #995.

Flatbufferize index

VAST now ships with a new tool lsvast to display information about the contents of a VAST database directory. See lsvast --help for usage instructions.

By @mavam in #863.

Merge contents of all configuration files

VAST now merges the contents of all used configuration files instead of using only the most user-specific file. The file specified using --config takes the highest precedence, followed by the user-specific path ${XDG_CONFIG_HOME:-${HOME}/.config}/vast/vast.conf, and the compile-time path <sysconfdir>/vast/vast.conf.

By @dominiklohmann in #1040.

Add a get subcommand to retrieve events from the archive directly

The vast get command has been added. It retrieves events from the database directly by their ids.

By @tobim in #938.

Make vast.conf lookup on Linux systems more intuitive

VAST now supports the XDG base directory specification: The vast.conf is now found at ${XDG_CONFIG_HOME:-${HOME}/.config}/vast/vast.conf, and schema files at ${XDG_DATA_HOME:-${HOME}/.local/share}/vast/schema/. The user-specific configuration file takes precedence over the global configuration file in <sysconfdir>/vast/vast.conf.

By @dominiklohmann in #1036.

Changes

PRs 1045-1055-1059-1062

The proprietary VAST configuration file has changed to the more ops-friendly industry standard YAML. This change introduced also a new dependency: yaml-cpp version 0.6.2 or greater. The top-level vast.yaml.example illustrates how the new YAML config looks like. Please rename existing configuration files from vast.conf to vast.yaml. VAST still reads vast.conf but will soon only look for vast.yaml or vast.yml files in available configuration file paths.

By @mavam in #1045.

Add event type name to the record batch metadata

Data exported in the Apache Arrow format now contains the name of the payload record type in the metadata section of the schema.

By @tobim in #1072.

Render duration and port as JSON strings

The JSON export format now renders duration and port fields using strings as opposed to numbers. This avoids a possible loss of information and enables users to re-use the output in follow-up queries directly.

By @dominiklohmann in #1034.

Make periodic logging more sensible

The delay between the periodic log messages for reporting the current event rates has been increased to 10 seconds.

By @tobim in #1035.

Make vast.conf lookup on Linux systems more intuitive

The global VAST configuration now always resides in <sysconfdir>/vast/vast.conf, and bundled schemas always in <datadir>/vast/schema/. VAST no longer supports reading a vast.conf file in the current working directory.

By @dominiklohmann in #1036.

Flatbufferize index

The persistent storage format of the index now uses FlatBuffers.

By @mavam in #863.

Improve import batching options

The options that affect batches in the import command received new, more user-facing names: import.table-slice-type, import.table-slice-size, and import.read-timeout are now called import.batch-encoding, import.batch-size, and import.read-timeout respectively.

By @dominiklohmann in #1058.

Flatbufferize index

We refactored the index architecture to improve stability and responsiveness. This includes fixes for several shutdown issues.

By @mavam in #863.

Restructure configuration file hierarchy

All configuration options are now grouped into vast and caf sections, depending on whether they affect VAST itself or are handed through to the underlying actor framework CAF directly. Take a look at the bundled vast.yaml.example file for an explanation of the new layout.

By @dominiklohmann in #1073.

Bug Fixes

Improve import batching options

Stalled sources that were unable to generate new events no longer stop import processes from shutting down under rare circumstances.

By @dominiklohmann in #1058.