[-h | -? | --help] prints the help text
[--config=] <string> path to a configuration file
[-v | --verbosity=] <atom> output verbosity level on the console
[--schema-paths=] <list of string> list of paths to look for schema files ([/nix/store/mp9l1wapka7yfpr38ryncml2xbjs4ph0-vast-2020.06.25-87-g4d1a2d64-x86_64-unknown-linux-musl/share/vast/schema])
[-d | --db-directory=] <string> directory for persistent state
[--log-file=] <string> log filename
[-e | --endpoint=] <string> node endpoint
[-i | --node-id=] <string> the unique ID of this node
[-N | --node] spawn a node instead of connecting to one
[--disable-metrics] don't keep track of performance metrics
[--no-default-schema] don't load the default schema definitions
[--aging-frequency=] <string> interval between two aging cycles
[--aging-query=] <string> query for aging out obsolete data
[--max-partition-size=] <uint64> maximum number of events in a partition
[--max-resident-partitions=] <uint64> maximum number of in-memory partitions
[--max-taste-partitions=] <uint64> maximum number of immediately scheduled partitions
[-q | --max-queries=] <uint64> maximum number of concurrent queries
count count hits for a query without exporting data
export exports query results to STDOUT or file
explore explore context around query results
infer infers the schema from data
import imports data from STDIN or file
pivot extracts related events of a given type
start starts a node
status shows various properties of a topology
stop stops a node
version prints the software version
matcher control intel matching


VAST is a platform for network forensics at scale. It ingests security telemetry in a unified data model and offers a type-safe search interface to extract a data in various formats.

The vast executable manages a VAST deployment by starting and interacting with a node, the server-side component that manages the application state.


The command line interface (CLI) is the primary way to interact with VAST. All functionality is available in the form of commands, each of which have their own set of options:

vast [options] [command] [options] [command] ...

Commands are recursive and the top-level root command is the vast executable itself. Usage follows typical UNIX applications:

  • standard input feeds data to commands
  • standard output represents the result of a command
  • standard error includes logging output

The help sub-command always prints the usage instructions for a given command, e.g., vast help lists all available top-level sub-commands.


In addition to command options, a configuration file vast.conf allows for persisting option values and tweaking system parameters. Command line options always override configuration file values.

During startup, vast looks for a vast.conf in the current directory. If the file does not exist, vast then attempts to open PREFIX/etc/vast.conf where PREFIX is the installation prefix (which defaults to /usr/local).

System Architecture

VAST consists of multiple components, each of which implement specific system functionality. The following key componetns exist:

source Generates events by parsing a particular data format, such as packets from a network interface, IDS log files, or generic CSV or JSON data.

sink Produces events by printing them in a particular format, such as ASCII, CSV, JSON, PCAP, or Zeek logs.

archive Stores the raw event data.

index Accelerates queries by constructing index structures that point into the archive.

importer Ingests events from sources, assigns them unique IDs, and relays them to archive and index for persistence.

exporter Accepts query expressions from users, extracts events, and relays results to sinks.


| node |
| |
+--------+ | +--------+ | +-------+
| source | | +--->archive <------+ +-------> sink |
+----zeek+-------+ | +--------<---+ v-----------++ | +---json+
| | | | | exporter | |
| +v------++ +------>------------+ |
... | |importer| | | ... | ...
| +^------++ | | |
| | | | +-->------------+ |
+--------+-------+ | | | exporter | |
| source | | | +--------v ^-----------++ | +-------+
+----pcap+ | +---> index <------+ +-------> sink |
| +--------+ | +--ascii+
| |
| |

The above diagram illustrates the default configuration of a single node and the flow of messages between the components. The importer, index, and archive are singleton instances within the node. Sources are spawned on demand for each data import. Sinks and exporters form pairs that are spawned on demand for each query. Sources and sinks exist in their own vast processes, and are responsible for parsing the input and formatting the search results.