Quick Start


Spin up a VAST node:

vast start


Ingest a bunch of Zeek logs:

zcat *.log.gz | vast import zeek

Ingest a PCAP trace with a 1024-byte flow cut-off:

vast import pcap -c 1024 < trace.pcap


Run a query over the last hour, rendered as JSON:

vast export json '#timestamp > 1 hour ago && ( || 5353/udp)'

Run a query over PCAP data, sort the packets, and feed them into tcpdump:

vast export pcap "sport < 1024/tcp && src !in" \
| ipsumdump --collate -w - \
| tcpdump -r - -nl


You can tweak various system options in /etc/vast.conf. If you chose a different install prefix than /, the configuration file will reside at PREFIX/etc/vast.conf.