spawn

Synopsis

parameters:
[-h | -? | --help] prints the help text
subcommands:
source creates a new source inside the node
matcher creates a new matcher

Documentation

The spawn command spawns a component inside the node. This is useful when the server process itself is to be used for importing events, e.g., because the latency for sending events to the server process is too high.

Currently, only the spawn source command is documented. See vast spawn source help for more information.

spawn matcher

Synopsis

creates a new matcher
parameters:
[-h | -? | --help] prints the help text
[--name=] <string> unique name for this matcher
[--format=] <string> output format (default: JSON)
[--ioc-type=] <string> ioc record type used by this matcher. (default: intel.indicator)
[--ioc-query=] <string> query to create initial ioc set. (default: none)
[--match-attributes=] <list of string> Matched attributes (default: #ioc)
[--match-fields=] <list of string> Matched record field names (default: none)

Documentation

The vast spawn matcher spawns a new matcher.## spawn source

Synopsis

parameters:
[-h | -? | --help] prints the help text
[--batch-encoding=] <atom> encoding type of table slices (arrow or msgpack)
[--batch-size=] <uint64> upper bound for the size of a table slice
[--batch-timeout=] <string> timeout after which batched table slices are forwarded
[--read-timeout=] <string> timeout for waiting for incoming data
[-n | --max-events=] <uint64> the maximum number of events to import
subcommands:
csv creates a new CSV source inside the node
json creates a new JSON source inside the node
pcap creates a new PCAP source inside the node
suricata creates a new Suricata source inside the node
syslog creates a new Syslog source inside the node
test creates a new test source inside the node
zeek creates a new Zeek source inside the node
netflow creates a new NetFlow source
corelight-json creates a new corelight JSON source

Documentation

The spawn source command spawns a new source inside the node.

The following commands do the same thing, except for the spawn source version not running in a separate process:

vast spawn source [options] <format> [options] [expr]
vast import [options] <format> [options] [expr]

For more information, please refer to the documentation for the import command.

spawn source corelight-json

Synopsis

creates a new corelight JSON source
parameters:
[-h | -? | --help] prints the help text
[-l | --listen=] <string> the endpoint to listen on ([host]:port/type)
[-r | --read=] <string> path to input where to read events from
[-s | --schema-file=] <string> path to alternate schema
[-S | --schema=] <string> alternate schema as string
[-t | --type=] <string> filter event type based on prefix matching
[-d | --uds] treat -r as listening UNIX domain socket

Documentation

spawn source netflow

Synopsis

creates a new NetFlow source
parameters:
[-h | -? | --help] prints the help text
[-l | --listen=] <string> the endpoint to listen on ([host]:port/type)
[-r | --read=] <string> path to input where to read events from
[-s | --schema-file=] <string> path to alternate schema
[-S | --schema=] <string> alternate schema as string
[-t | --type=] <string> filter event type based on prefix matching
[-d | --uds] treat -r as listening UNIX domain socket
[--disable-community-id] disable computation of community id for every record

Documentation

spawn source zeek

Synopsis

creates a new Zeek source inside the node
parameters:
[-h | -? | --help] prints the help text
[-l | --listen=] <string> the endpoint to listen on ([host]:port/type)
[-r | --read=] <string> path to input where to read events from
[-s | --schema-file=] <string> path to alternate schema
[-S | --schema=] <string> alternate schema as string
[-t | --type=] <string> filter event type based on prefix matching
[-d | --uds] treat -r as listening UNIX domain socket

Documentation

The spawn source zeek command spawns a Zeek source inside the node and is the analog to the import zeek command.

For more information, please refer to the documentation for the commands spawn source and import zeek.

spawn source test

Synopsis

creates a new test source inside the node
parameters:
[-h | -? | --help] prints the help text
[-l | --listen=] <string> the endpoint to listen on ([host]:port/type)
[-r | --read=] <string> path to input where to read events from
[-s | --schema-file=] <string> path to alternate schema
[-S | --schema=] <string> alternate schema as string
[-t | --type=] <string> filter event type based on prefix matching
[-d | --uds] treat -r as listening UNIX domain socket
[--seed=] <uint64> the PRNG seed

Documentation

The spawn source test command spawns a test source inside the node and is the analog to the import test command.

For more information, please refer to the documentation for the commands spawn source and import test.

spawn source syslog

Synopsis

creates a new Syslog source inside the node
parameters:
[-h | -? | --help] prints the help text
[-l | --listen=] <string> the endpoint to listen on ([host]:port/type)
[-r | --read=] <string> path to input where to read events from
[-s | --schema-file=] <string> path to alternate schema
[-S | --schema=] <string> alternate schema as string
[-t | --type=] <string> filter event type based on prefix matching
[-d | --uds] treat -r as listening UNIX domain socket

Documentation

The spawn source syslog command spawns a Syslog source inside the node and is the analog to the import syslog command.

For more information, please refer to the documentation for the commands spawn source and import syslog.

spawn source suricata

Synopsis

creates a new Suricata source inside the node
parameters:
[-h | -? | --help] prints the help text
[-l | --listen=] <string> the endpoint to listen on ([host]:port/type)
[-r | --read=] <string> path to input where to read events from
[-s | --schema-file=] <string> path to alternate schema
[-S | --schema=] <string> alternate schema as string
[-t | --type=] <string> filter event type based on prefix matching
[-d | --uds] treat -r as listening UNIX domain socket

Documentation

The spawn source suricata command spawns a Suricata source inside the node and is the analog to the import suricata command.

For more information, please refer to the documentation for the spawn source and import suricata.

spawn source pcap

Synopsis

creates a new PCAP source inside the node
parameters:
[-h | -? | --help] prints the help text
[-l | --listen=] <string> the endpoint to listen on ([host]:port/type)
[-r | --read=] <string> path to input where to read events from
[-s | --schema-file=] <string> path to alternate schema
[-S | --schema=] <string> alternate schema as string
[-t | --type=] <string> filter event type based on prefix matching
[-d | --uds] treat -r as listening UNIX domain socket
[-i | --interface=] <string> network interface to read packets from
[-c | --cutoff=] <uint64> skip flow packets after this many bytes
[-m | --max-flows=] <uint64> number of concurrent flows to track
[-a | --max-flow-age=] <uint64> max flow lifetime before eviction
[-e | --flow-expiry=] <uint64> flow table expiration interval
[-p | --pseudo-realtime-factor=] <uint64> factor c delaying packets by 1/c
[--snaplen=] <uint64> snapshot length in bytes
[--drop-rate-threshold=] <real64> drop rate that must be exceeded for warnings to occur
[--disable-community-id] disable computation of community id for every packet

Documentation

The spawn source pcap command spawns a PCAP source inside the node and is the analog to the import pcap command.

For more information, please refer to the documentation for the commands spawn source and import pcap.

spawn source json

Synopsis

creates a new JSON source inside the node
parameters:
[-h | -? | --help] prints the help text
[-l | --listen=] <string> the endpoint to listen on ([host]:port/type)
[-r | --read=] <string> path to input where to read events from
[-s | --schema-file=] <string> path to alternate schema
[-S | --schema=] <string> alternate schema as string
[-t | --type=] <string> filter event type based on prefix matching
[-d | --uds] treat -r as listening UNIX domain socket

Documentation

The spawn source json command spawns a JSON source inside the node and is the analog to the import json command.

For more information, please refer to the documentation for the commands spawn source and import json.

spawn source csv

Synopsis

creates a new CSV source inside the node
parameters:
[-h | -? | --help] prints the help text
[-l | --listen=] <string> the endpoint to listen on ([host]:port/type)
[-r | --read=] <string> path to input where to read events from
[-s | --schema-file=] <string> path to alternate schema
[-S | --schema=] <string> alternate schema as string
[-t | --type=] <string> filter event type based on prefix matching
[-d | --uds] treat -r as listening UNIX domain socket

Documentation

The spawn source csv command spawns a CSV source inside the node and is the analog to the import csv command.

For more information, please refer to the documentation for the commands spawn source and import csv.