Download the release on GitHub.
Features
Section titled “Features”Move PCAP import/export into a plugin
Section titled “Move PCAP import/export into a plugin”Reader Plugins and Writer Plugins are a new family of plugins that add
import/export formats. The previously optional PCAP format moved into a
dedicated plugin. Configure with --with-pcap-plugin and add pcap to
vast.plugins to enable the PCAP plugin.
By @dominiklohmann in #1549.
PRs 1532-1541
Section titled “PRs 1532-1541”The VAST_PLUGIN_DIRS and VAST_SCHEMA_DIRS environment variables allow for
setting additional plugin and schema directories separated with : with higher
precedence than other plugin and schema directories.
By @dominiklohmann in #1532.
Allow for building plugins separately from VAST
Section titled “Allow for building plugins separately from VAST”It is now possible to build plugins against an installed VAST. This requires a slight adaptation to every plugin’s build scaffolding. The example plugin was updated accordingly.
By @dominiklohmann in #1532.
Add ‘—disk-budget-check-binary’ option to disk monitor
Section titled “Add ‘—disk-budget-check-binary’ option to disk monitor”The disk monitor gained a new vast.start.disk-budget-check-binary option that
can be used to specify an external binary to determine the size of the database
directory. This can be useful in cases where stat() does not give the correct
answer, e.g. on compressed filesystems.
PRs 1544-1547-1588
Section titled “PRs 1544-1547-1588”Component Plugins are a new category of plugins that execute code within the VAST server process. Analyzer Plugins are now a specialization of Component Plugins, and their API remains unchanged.
By @dominiklohmann in #1544.
Changes
Section titled “Changes”Make the source a regular class
Section titled “Make the source a regular class”The metrics for Suricata Eve JSON and Zeek Streaming JSON imports are now under
the categories suricata-reader and zeek-reader respectively so they can be
distinguished from the regular JSON import, which is still under json-reader.
Small fixes for projections
Section titled “Small fixes for projections”The Suricata dns schema type now defines the dns.grouped.A field containing
a list of all returned addresses.
Upstream Debian patches
Section titled “Upstream Debian patches”We upstreamed the Debian patches provided by @satta.
VAST now prefers an installed tsl-robin-map>=0.6.2 to the bundled one unless
configured with --with-bundled-robin-map, and we provide a manpage for
lsvast if pandoc is installed.
By @dominiklohmann in #1515.
Remove deprecated no-default-schema option
Section titled “Remove deprecated no-default-schema option”The previously deprecated (#1409)
option vast.no-default-schema no longer exists.
By @dominiklohmann in #1507.
Use individual files for changelog entries
Section titled “Use individual files for changelog entries”Building VAST now requires CMake >= 3.15.
By @dominiklohmann in #1559.
Align plugin and library output names
Section titled “Align plugin and library output names”Plugins configured via vast.plugins in the configuration file can now be
specified using either the plugin name or the full path to the shared plugin
library. We no longer allow omitting the extension from specified plugin files,
and recommend using the plugin name as a more portable solution, e.g., example
over libexample and /path/to/libexample.so over /path/to/libexample.
By @dominiklohmann in #1527.
Prefix plugin library output names with vast-plugin-
Section titled “Prefix plugin library output names with vast-plugin-”To avoid confusion between the PCAP plugin and libpcap, which both have a
library file named libpcap.so, we now generally prefix the plugin library
output names with vast-plugin-. E.g., The PCAP plugin library file is now
named libvast-plugin-pcap.so. Plugins specified with a full path in the
configuration under vast.plugins must be adapted accordingly.
By @dominiklohmann in #1593.
Make it possible to run VAST without user configs
Section titled “Make it possible to run VAST without user configs”The new option --disable-default-config-dirs disables the loading of user and
system configuration, schema, and plugin directories. We use this option
internally when running integration tests.
By @dominiklohmann in #1557.
Update chat URL in README
Section titled “Update chat URL in README”The VAST community chat moved from Element to Gitter. Join us at
gitter.im/tenzir/vast or via Matrix at
#tenzir_vast:gitter.im.
By @dominiklohmann in #1591.
PRs 1514-1574
Section titled “PRs 1514-1574”The exporter.hits metric has been removed.
PRs 1499-satta
Section titled “PRs 1499-satta”VAST now ships with a schema record type for Suricata’s rfb event type.
Remove deprecated format-specific options
Section titled “Remove deprecated format-specific options”The previously deprecated usage
(#1354) of format-independent
options after the format in commands is now no longer possible. This affects the
options listen, read, schema, schema-file, type, and uds for import
commands and the write and uds options for export commands.
By @dominiklohmann in #1529.
Factor common functionality in component plugin
Section titled “Factor common functionality in component plugin”The status output of Analyzer Plugins moved from the importer.analyzers key
into the top-level record.
By @dominiklohmann in #1544.
Move PCAP import/export into a plugin
Section titled “Move PCAP import/export into a plugin”Plugins must define a separate entrypoint in their build scaffolding using the
argument ENTRYPOINT to the CMake function VASTRegisterPlugin. If only a
single value is given to the argument SOURCES, it is interpreted as the
ENTRYPOINT automatically.
By @dominiklohmann in #1549.
Bug Fixes
Section titled “Bug Fixes”Handle alias types properly for CSV
Section titled “Handle alias types properly for CSV”The CSV reader no longer crashes when encountering nested type aliases.
By @dominiklohmann in #1534.
Move PCAP import/export into a plugin
Section titled “Move PCAP import/export into a plugin”Plugin unit tests now correctly load and initialize their respective plugins.
By @dominiklohmann in #1549.
Fix start command detection for spdlog
Section titled “Fix start command detection for spdlog”Custom commands from plugins ending in start no longer try to write to the
server instead of the client log file.
By @dominiklohmann in #1530.
Ignore spaces before SI prefixes
Section titled “Ignore spaces before SI prefixes”Spaces before SI prefixes in command line arguments and configuration options
are now generally ignored, e.g., it is now possible to set the disk monitor
budgets to 2 GiB rather than 2GiB.
By @dominiklohmann in #1590.
Multiple node shutdown fixes
Section titled “Multiple node shutdown fixes”The shutdown logic contained a bug that would make the node fail to terminate in case a plugin actor is registered at said node.
A race condition in the shutdown logic that caused an assertion was fixed.
Fix exporter.selectivity for idle periods
Section titled “Fix exporter.selectivity for idle periods”The exporter.selectivity metric is now 1.0 instead of NaN for idle periods.
VAST no longer renders JSON numbers with non-finite numbers as NaN, -NaN,
inf, or -inf, resulting in invalid JSON output. Instead, such numbers are
now rendered as null.
By @dominiklohmann in #1574.
Deduplicate plugin entrypoint in sources
Section titled “Deduplicate plugin entrypoint in sources”We fixed a regression that made it impossible to build static binaries from outside of the repository root directory.
The VASTRegisterPlugin CMake function now correctly removes the ENTRYPOINT
from the given SOURCES, allowing for plugin developers to easily glob for
sources again.
By @dominiklohmann in #1573.
Use proper full install dirs for system config
Section titled “Use proper full install dirs for system config”Specifying relative CMAKE_INSTALL_*DIR in the build configuration no longer
causes VAST not to pick up system-wide installed configuration files, schemas,
and plugins. The configured install prefix is now used correctly. The defunct
VAST_SYSCONFDIR, VAST_DATADIR, and VAST_LIBDIR CMake options no longer
exist. Use a combination of CMAKE_INSTALL_PREFIX and CMAKE_INSTALL_*DIR
instead.
By @dominiklohmann in #1580.
Fix building VAST within a shallow git tree
Section titled “Fix building VAST within a shallow git tree”VAST now correctly builds within shallow clones of the repository. If the build
system is unable to determine the correct version from git-describe, it now
always falls back to the version of the last release.
By @dominiklohmann in #1570.
Avoid shutdown when config dirs are not readable
Section titled “Avoid shutdown when config dirs are not readable”VAST no longer refuses to start when any of the configuration file directories is unreadable, e.g., because VAST is running in a sandbox.
By @dominiklohmann in #1533.
Ignore static plugins when specified in config
Section titled “Ignore static plugins when specified in config”VAST no longer erroneously tries to load explicitly specified plugins dynamically that are linked statically.
By @dominiklohmann in #1528.
Fix the timezone shift to UTC for ISO8601 dates
Section titled “Fix the timezone shift to UTC for ISO8601 dates”A bug in the parsing of ISO8601 formatted dates that incorrectly adjusted the time to the UTC timezone has been fixed.
Allow for building plugins separately from VAST
Section titled “Allow for building plugins separately from VAST”Linking against an installed VAST via CMake now correctly resolves VAST’s dependencies.
By @dominiklohmann in #1532.
Fix out-of-bounds access in command-line parser
Section titled “Fix out-of-bounds access in command-line parser”The command-line parser no longer crashes when encountering a flag with missing value in the last position of a command invocation.