VAST v2.4.0

Download the release on GitHub.

Features

Cloud MISP

VAST Cloud has now a MISP plugin that enables to add a MISP instance to the cloud stack.

By @rdettai in #2548.

Make data predicate evaluation column-major

Queries without acceleration from a dense index run significantly faster, e.g., initial tests show a 2x performance improvement for substring queries.

By @dominiklohmann in #2730.

PRs 2567-2614-2638-3681

The new experimental web plugin offers a RESTful API to VAST and a bundled web user interface in Svelte.

By @lava in #2567.

Rebatch undersized batches when rebuilding partitions

Rebuilding partitions now additionally rebatches the contained events to vast.import.batch-size events per batch, which accelerates queries against partitions that previously had undersized batches.

By @dominiklohmann in #2583.

PRs 2513-2738

We now distribute VAST also as Debian Package with every new release. The Debian package automatically installs a systemd service and creates a vast user for the VAST process.

By @tobim in #2513.

Add “-total” metric keys for schema-dependent metrics

VAST has three new metrics: catalog.num-partitions-total, catalog.num-events-total, and ingest-total that sum up all schema-based metrics by their respective schema-based metric counterparts.

By @Dakostu in #2682.

Disable building unit tests in Dockerfile

VAST Cloud can now expose HTTP services using Cloudflare Access.

By @dominiklohmann in #2578.

Emit metrics from the filesystem actor

VAST now emits metrics for filesystem access under the keys posix-filesystem.{checks,writes,reads,mmaps,erases,moves}.{successful,failed,bytes}.

By @dominiklohmann in #2572.

Enable configuration of the zstd compression level for feather store

VAST has a new configuration setting, vast.zstd-compression-level, to control the compression level of the Zstd algorithm used in both the Feather and Parquet store backends. The default level is set by the Apache Arrow library, and for Parquet is no longer explicitly defaulted to 9.

By @dispanser in #2623.

PRs 2574-2652

VAST now ships a Docker Compose file. In particular, the Docker Compose stack now has a TheHive integration that can run VAST queries as a Cortex Analyzer.

By @KaanSK in #2574.

Changes

Move the version string into a central JSON file

Building VAST from source now requires CMake 3.19 or greater.

By @tobim in #2582.

Make feather the default store-backend

The default store backend of VAST is now feather. Reading from VAST’s custom segment-store backend is still transparently supported, but new partitions automatically write to the Apache Feather V2 backend instead.

By @dominiklohmann in #2587.

Change default endpoint to 127.0.0.1

We changed the default VAST endpoint from localhost to 127.0.0.1. This ensures the listening address is deterministic and not dependent on the host-specific IPv4 and IPv6 resolution. For example, resolving localhost yields a list of addresses, and if VAST fails to bind on the first (e.g., to due to a lingering socket) it would silently go to the next. Taking name resolution out of the equation fixes such issues. Set the option vast.endpoint to override the default endpoint.

By @lava in #2512.

Load “all” plugins by default & allow “empty” values

VAST now loads all plugins by default. To revert to the old behavior, explicitly set the vast.plugins option to have no value.

By @Dakostu in #2689.

Add memory-usage to index and catalog telemetry reports

VAST now emits per-component memory usage metrics under the keys index.memory-usage and catalog.memory-usage.

By @patszt in #2471.

Remove PyVAST in favor of new Python bindings

We removed PyVAST from the code base in favor of the new Python bindings. PyVAST continues to work as a thin wrapper around the VAST binary, but will no longer be released alongside VAST.

By @dominiklohmann in #2674.

Rename vast dump to vast show

The vast dump command is now called vast show.

By @dominiklohmann in #2686.

Arrow 10.0.0 support

Building VAST from source now requires Apache Arrow 10.0 or newer.

By @Dakostu in #2685.

Bug Fixes

Add a timeout to the UDS metric sink

The UDS metrics sink no longer deadlocks due to suspended listeners.

By @tobim in #2635.

Remove caf::skip usages

Rebuilding of heterogeneous partition no longer freezes the entire rebuilder on pipeline failures.

By @patszt in #2530.

Fix a connection error message

The error message on connection failure now contains a correctly formatted target endpoint.

By @tobim in #2609.

Remove the shutdown grace period

VAST no longer attempts to hard-kill itself if the shutdown did not finish within the configured grace period. The option vast.shutdown-grace-period no longer exists. We recommend setting TimeoutStopSec=180 in the VAST systemd service definition to restore the previous behavior.

By @dominiklohmann in #2568.

Don’t abort startup if individual partitions fail to load

VAST now skips unreadable partitions while starting up, instead of aborting the initialization routine.

By @tobim in #2515.

Allow read access to user home dir in the systemd unit

The systemd service no longer fails if the home directory of the vast user is not in /var/lib/vast.

By @tobim in #2734.

Clear failed partitions from the cache

VAST now ejects partitions from the LRU cache if they fail to load with an I/O error.

By @lava in #2642.