Usage

This section covers a brief walk-through of how to get started with VAST. After you have installed VAST successfully, you can start using the vast executable. The command line interface is currently the primary way to interact with VAST. Experimental Python bindings for programmatic data access exist as well.

Startup

VAST has a client-server architecture. There exists one vast executable for both client and server mode. The start command spins up a new node:

vast start

All other commands are client commands. See vast help for available commands.

Data Import

Once the VAST node is up and running, you can begin ingesting data with the import command. It takes a format as sub-command. For example, the zeek sub-command parses Zeek's tab-separated log format:

zcat *.log.gz | vast import zeek

To ingest a PCAP trace, you can use the pcap sub-command:

vast import pcap -c 1024 < trace.pcap

Here, the -c 1024 specifies a cut-off to only keep the first 1024 bytes of every connection.

Data Export

After we have some data in the system, we can start querying with the export command, which also takes a format as sub-command, followed by a query expression. For example, to get all data from last hour for a specific IP address, rendered as JSON, you would write:

vast export json '#timestamp > 1 hour ago && 6.6.6.6'

The pcap format renders the output as PCAP trace. Here is an example that runs a query over PCAP data and feeds the output into tcpdump:

vast export pcap "sport < 1024/tcp && src !in 10.0.0.0/8" |
tcpdump -nl -r -

Next Steps

Ready for continuous deployment? VAST runs on the most common UNIX flavors, such as Linux (systemd), FreeBSD (rc.d), and macOS (launchd). The next section shows how to install VAST on those platforms.