Schemas

In VAST, a schema is a collection of type aliases. Users can write their own schemas to define type relationships and describe event layouts.

Examples

VAST uses a Zeek-inspired syntax to define a schema. Consider this example:

# A type alias with an attribute.
type foo = count #skip

# A record using the above type alias.
type bar = record {
  x: foo,
  y: real,
  z: string
}

This schema defines two types: a type alias foo with a skip attribute and a record type bar with three fields, where the first field x contains the previously defined type.

Records support nesting:

# A record using the above type alias.
type flow = record {
  timestamp: time,
  id: record {
    src: addr,
    dst: addr
  },
  data: string
}

The flow record type contains a field id that is also a record type.

Builtin Schemas

VAST ships with several schemas for common events, such as Zeek or Suricata logs. Schemas reside in PREFIX/share/vast/schema, and additional search paths for user-provided schemas can be set in the configuration file vast.conf.

Reference

todo

We will provide an exhaustive schema reference in the future.

#Examples

#Builtin Schemas

#Reference

todo

Examples

Builtin Schemas

Reference