Download the release on GitHub.
Features
Section titled “Features”Support import filter expressions
Section titled “Support import filter expressions”VAST now supports import filter expressions. They act as the dual to export
query expressions: vast import suricata '#type == "suricata.alert"' < eve.json
will import only suricata.alert events, discarding all other events.
By @dominiklohmann in #1742.
Use a unique version for plugins
Section titled “Use a unique version for plugins”Plugin versions are now unique to facilitate debugging. They consist of three
optional parts: (1) the CMake project version of the plugin, (2) the Git
revision of the last commit that touched the plugin, and (3) a dirty suffix
for uncommited changes to the plugin. Plugin developers no longer need to
specify the version manually in the plugin entrypoint.
By @dominiklohmann in #1764.
Add per-layout metrics to imports
Section titled “Add per-layout metrics to imports”VAST now exports per-layout import metrics under the key
<reader>.events.<layout-name> in addition to the regular <reader>.events.
This makes it easier to understand the event type distribution.
By @dominiklohmann in #1781.
Fix Docker image builds for arm64
Section titled “Fix Docker image builds for arm64”VAST now supports the arm64 architecture.
By @dominiklohmann in #1773.
Enable Broker plugin by default for Nix
Section titled “Enable Broker plugin by default for Nix”The static binary now bundles the Broker plugin.
By @dominiklohmann in #1789.
Publish a tenzir/vast-dev Docker image
Section titled “Publish a tenzir/vast-dev Docker image”VAST now comes with a
tenzir/vast-dev Docker image in
addition to the regular tenzir/vast.
The vast-dev image targets development contexts, e.g., when building
additional plugins. The image contains all build-time dependencies of VAST and
runs as root rather than the vast user.
By @dominiklohmann in #1749.
Add Zeek Broker reader plugin
Section titled “Add Zeek Broker reader plugin”The new Broker plugin enables seamless log
ingestion from Zeek to VAST via a TCP socket.
Broker is Zeek’s messaging library and the plugin turns VAST into a Zeek logger
node. Use
vast import broker to establish a connection to a Zeek node and acquire logs.
PRs 1720-1762-1802
Section titled “PRs 1720-1762-1802”VAST has new a store_plugin type for custom store backends that hold the raw
data of a partition. The new setting vast.store-backend controls the
selection of the store implementation, which has a default value is
segment-store. This is still an opt-in feature: unless the configuration
value is set, VAST defaults to the old implementation.
Fix bug in bitmap offset computation
Section titled “Fix bug in bitmap offset computation”lsvast now prints extended information for hash indexes.
Remove /etc as hardcoded sysconfdir from Nix build
Section titled “Remove /etc as hardcoded sysconfdir from Nix build”Installing VAST now includes a vast.yaml.example configuration file listing
all available options.
By @dominiklohmann in #1777.
Changes
Section titled “Changes”Compile with C++20
Section titled “Compile with C++20”From now on VAST is compiled with the C++20 language standard. Minimum compiler versions have increased to GCC 10, Clang 11, and AppleClang 12.0.5.
Bump minimum Debian requirement to Bullseye
Section titled “Bump minimum Debian requirement to Bullseye”VAST no longer officially supports Debian Buster with GCC-8. In CI, VAST now
runs on Debian Bullseye with GCC-10. The provided Docker images now use
debian:bullseye-slim as base image. Users that require Debian
Buster support should use the provided static builds instead.
By @dominiklohmann in #1765.
Disable auto-vectorization in prebuilt Docker images
Section titled “Disable auto-vectorization in prebuilt Docker images”The vast binaries in our prebuilt Docker
images no longer contain AVX instructions
for increased portability. Building the image locally
continues to add supported auto-vectorization flags automatically.
The following new build options exist: VAST_ENABLE_AUTO_VECTORIZATION
enables/disables all auto-vectorization flags, and
VAST_ENABLE_SSE_INSTRUCTIONS enables -msse; similar options exist for SSE2,
SSE3, SSSE3, SSE4.1, SSE4.2, AVX, and AVX2.
By @dominiklohmann in #1778.
Bug Fixes
Section titled “Bug Fixes”Support unique plugin versions for Nix and Docker
Section titled “Support unique plugin versions for Nix and Docker”The official Docker image and static binary distribution of VAST now produce
the correct version output for plugins from the vast version command.
By @dominiklohmann in #1799.
PRs 1804-1809
Section titled “PRs 1804-1809”The disk budget feature no longer triggers a rare segfault while deleting partitions.
Fix sorting of plugins by name
Section titled “Fix sorting of plugins by name”A regression caused VAST’s plugins to be loaded in random order, which printed a warning about mismatching plugins between client and server. The order is now deterministic.
By @dominiklohmann in #1756.
Propagate VAST_ENABLE_JOURNALD_LOGGING setting to config header
Section titled “Propagate VAST_ENABLE_JOURNALD_LOGGING setting to config header”The VAST_ENABLE_JOURNALD_LOGGING CMake option is no longer ignored.
Print the import transformer status
Section titled “Print the import transformer status”The the status command now prints information about input and output
transformations.
Fix bug in bitmap offset computation
Section titled “Fix bug in bitmap offset computation”Queries against fields using a #index=hash attribute could have missed some
results. Fixing a bug in the offset calculation during bitmap processing
resolved the issue.
Fix error message about /dev/null-backend on startup
Section titled “Fix error message about /dev/null-backend on startup”A [*** LOG ERROR #0001 ***] error message on startup under Linux no longer
occurs.
Make the source shutdown instantaneous
Section titled “Make the source shutdown instantaneous”Import processes now respond quicker. Shutdown requests are no longer delayed when the server process has busy imports, and metrics reports are now written in a timely manner.
Particularly busy imports caused the shutdown of the server process to hang, if import processes were still running or had not yet flushed all data. The server now shuts down correctly in these cases.
By @dominiklohmann in #1771.
Fix loading of the optional OpenSSL module
Section titled “Fix loading of the optional OpenSSL module”Configuring VAST to use CAF’s built-in OpenSSL module via the caf.openssl.*
options now works again as expected.
By @dominiklohmann in #1740.
Normalize GNUInstallDirs for external plugins
Section titled “Normalize GNUInstallDirs for external plugins”Plugins built against an external libvast no longer require the
CMAKE_INSTALL_LIBDIR to be specified as a path relative to the configured
CMAKE_INSTALL_PREFIX. This fixes an issue with plugins in separate packages
for some package managers, e.g., Nix.
By @dominiklohmann in #1786.
Dont abort JSON import when encountering non-objects
Section titled “Dont abort JSON import when encountering non-objects”VAST does not abort JSON imports anymore when encountering something other than a JSON object, e.g., a number or a string. Instead, VAST skips the offending line.
Remove /etc as hardcoded sysconfdir from Nix build
Section titled “Remove /etc as hardcoded sysconfdir from Nix build”The static binary no longer behaves differently than the regular build with
regards to its configuration directories: system-wide configuration files now
reside in <prefix>/etc/vast/vast.yaml rather than /etc/vast/vast.yaml.
By @dominiklohmann in #1777.