VAST 2021.09.30

Download the release on GitHub.

Features

Let empty queries export everything

The query argument to the export and count commands may now be omitted, which causes the commands to operate on all data. Note that this may be a very expensive operation, so use with caution.

By @dominiklohmann in #1879.

Add Zeek writer plugin

The broker plugin is now a also writer plugin on top of being already a reader plugin. The new plugin enables exporting query results directly into a a Zeek process, e.g., to write Zeek scripts that incorporate context from the past. Run vast export broker <expr> to ship events via Broker that Zeek dispatches under the event VAST::data(layout: string, data: any).

By @mavam in #1863.

Add the streaming and query info to the index status

The output of vast status --detailed now contains information about queries that are currently processed in the index.

By @tobim in #1881.

Add tool to regenerate .mdx files

The new tool mdx-regenerate allows operators to re-create all .mdx files in a database directory to the latest file format version while VAST is running. This is useful for advanced users in preparation for version upgrades that bump the format version.

By @lava in #1866.

Bundle an example configuration file with plugins

If present in the plugin source directory, the build scaffolding now automatically installs <plugin>.yaml.example files, commenting out every line so the file has no effect. This serves as documentation for operators that can modify the installed file in-place.

By @dominiklohmann in #1860.

Show loaded config files in status output

Running vat status --detailed now lists all loaded configuration files under system.config-files.

By @dominiklohmann in #1871.

Changes

Make partition-local stores the default

The default store backend now is segment-store in order to enable the use of partition transforms in the future. To continue using the (now deprecated) legacy store backend, set vast.store-backend to archive.

By @lava in #1876.

Install example configuration files to datarootdir

Example configuration files are now installed to the datarootdir as opposed to the sysconfdir in order to avoid overriding previously installed configuration files.

By @dominiklohmann in #1880.

Bug Fixes

Fix possible garbage in status command output

The status command no longer occasionally contains garbage keys when the VAST server is under high load.

By @dominiklohmann in #1872.

Fix response promises for disk monitor deletion

The disk monitor no longer fails to delete segments of particularly busy partitions with the segment-store store backend.

By @dominiklohmann in #1892.

Tailor expressions in filter operation

Import filter expressions now work correctly with queries using field extractors, e.g., vast import suricata 'event_type == "alert"' < path/to/eve.json.

By @dominiklohmann in #1885.

Disallow unsupported field meta extractor predicates

Expression predicates of the #field type now produce error messages instead of empty result sets for operations that are not supported.

By @tobim in #1886.

Fix possible desync in pending queries map

The index now correctly cancels pending queries when the requester dies.

By @dominiklohmann in #1884.

Fix ignoring of remote sources and sinks for status

Remote sources and sinks are no longer erroneously included in the output of VAST status.

By @dominiklohmann in #1873.