This section covers a brief walk-through of how to get started with VAST. After
you have installed VAST successfully, you can
start using the
vast executable. The command line
interface is currently the primary way to interact with
VAST. Experimental Python bindings for
programmatic data access exist as well.
VAST has a client-server architecture. There exists one
vast executable for
both client and server mode. The
start command spins up a new server:
All other commands are client commands. See
vast help for available commands.
Once the VAST server is up and running, you can begin ingesting data with the
import command. It takes a format as sub-command. For example, the
sub-command parses Zeek's tab-separated log format:
To ingest a PCAP trace, you can use the
-c 1024 specifies a cutoff
to only keep the first 1024 bytes of every connection.
After we have some data in the system, we can start querying with the
command, which also takes a format as sub-command, followed by a query
expression. For example, to get all data from
last hour for a specific IP address, rendered as JSON, you would write:
pcap format renders the output as PCAP trace. Here is an example that
runs a query over PCAP data and feeds the output into
Ready for continuous deployment? VAST runs on the most common UNIX flavors, such as Linux (systemd), FreeBSD (rc.d), and macOS (launchd). The next section shows how to install VAST on those platforms.