VAST 2021.08.26

Download the release on GitHub.

Features

Restore unique IDs for partition-local stores

The segment-store store backend works correctly with vast get and vast explore.

By @lava in #1805.

PRs 1819-1833

VAST can now process Eve JSON events of type suricata.packet that Suricata emits when the config option tagged-packets is set and a rule tags a packet using, e.g., tag:session,5,packets;.

By @satta in #1819.

Changes

Support building against fmt 8.x

VAST now supports building against fmt 8 and spdlog 1.9.2, and now requires at least fmt 7.1.3.

By @dominiklohmann in #1846.

Keep layer-2 framing when reading PCAP payload

VAST no longer strips link-layer framing when ingesting PCAPs. The stored payload is the raw PCAP packet. Similarly, vast export pcap now includes a Ethernet link-layer framing, per libpcap’s DLT_EN10MB link type.

By @mavam in #1797.

Improve rendering of error messages & fix record to map conversion

Strings in error or warning log messages are no longer escaped, greatly improving readability of messages containing nested error contexts.

By @tobim in #1842.

Align suricata.dhcp with the latest eve.log schema

VAST now ships with an updated schema type for the suricata.dhcp event, covering all fields of the extended output.

By @tobim in #1854.

Bug Fixes

Fix logging in systemd when built without support

VAST now only switches to journald style logging by default when it is actually supported.

By @tobim in #1857.

Include in-process sources/sinks in status output

The output of VAST status now includes status information for sources and sinks spawned in the VAST node, i.e., via vast spawn source|sink <format> rather than vast import|export <format>.

By @dominiklohmann in #1852.

Print memory counts in bytes instead of kB

The memory counts in the output of vast status now represent bytes consistently, as opposed to a mix of bytes and kilobytes.

By @tobim in #1862.

Fix plugin versions in prebuilt Docker images

Plugins in the prebuilt Docker images no longer show unspecified as their version.

By @dominiklohmann in #1828.

Use /etc as sysconfdir for install prefix /usr

In order to align with the GNU Coding Standards, the static binary (and other relocatable binaries) now uses /etc as sysconfdir for installations to /usr/bin/vast.

By @dominiklohmann in #1856.

Add missing concepts for Suricata events

Previously missing fields of suricata event types are now part of the concept definitions of net.src.ip, net.src.port, net.dst.ip, net.dst.port, net.app, net.proto, net.community_id, net.vlan, and net.packets.

By @tobim in #1798.

Support quoted non-string fields in the CSV parser

The CSV parser now correctly parses quoted fields in non-string types. E.g., "127.0.0.1" in CSV now successfully parsers when a matching schema contains an address type field.

By @dominiklohmann in #1858.

Gracefully handle malformed segments at startup

Invalid segment files will no longer crash VAST at startup.

By @tobim in #1820.

Support native plugins in the static binary

The segment-store store backend and built-in transform steps (hash, replace, and delete) now function correctly in static VAST binaries.

By @dominiklohmann in #1850.

Interpret metrics paths relative to the db root

The configuration options vast.metrics.{file,uds}-sink.path now correctly specify paths relative to the database directory of VAST, rather than the current working directory of the VAST server.

By @dominiklohmann in #1848.