Quick Start

Startup

Spin up a VAST node:

vast start

Import

Ingest a bunch of Zeek logs:

zcat *.log.gz | vast import zeek

Ingest a PCAP trace with a 1024-byte flow cut-off:

vast import pcap -c 1024 < trace.pcap

Export

Run a query over the last hour, rendered as JSON:

vast export json '#timestamp > 1 hour ago && (6.6.6.6 || 5353/udp)'

Run a query over PCAP data, sort the packets, and feed them into tcpdump:

vast export pcap "sport < 1024/tcp && src !in 10.0.0.0/8" \
  | ipsumdump --collate -w - \
  | tcpdump -r - -nl

Configuration

You can tweak various system options in /etc/vast.conf. If you chose a different install prefix than /, the configuration file will reside at PREFIX/etc/vast.conf.