-
-
Notifications
You must be signed in to change notification settings - Fork 85
/
vast.conf
383 lines (294 loc) · 9.92 KB
/
vast.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
; This is an example configuration file for VAST, striving to show all available
; options. Lines starting with a semicolon are commented out. Options in angle
; brackets have their default value determined at runtime.
; Options that apply to VAST.
system {
; The host and port to listen at and connect to.
;endpoint = "localhost:42000"
; The file system path used for persistent state.
;db-directory = "vast.db/"
; The file system path used for log files.
;log-file = "<db-directory>/server.log"
; Number of events to be batched in a table slice (this is a target value that
; can be underrun if the source has a low rate).
;table-slice-size = 100
; The table slice type (default|arrow).
;table-slice-type = 'arrow'
; The size of an index shard.
;max-partition-size = 1000000
; The unique ID of this node.
;node-id = "node"
; List of paths to look for schema files.
;schema-paths = <["$VAST_INSTALL_PREFIX/share/vast/schema"]>
; Don't load the default schema definitions.
;no-default-schema = false
; Spawn a node instead of connecting to one.
;node = false
; Don't keep track of performance metrics.
;disable-metrics = false
}
; The `vast count` command counts hits for a query without exporting data.
count {
; Estimate an upper bound by skipping candidate checks
;estimate = false
}
; The `vast export` command exports query results to stdout or a file.
export {
; Mark a query as continuous.
;continuous = false
; Mark a query as unified.
;unified = false
; The maximum number of events to export.
;max-events = <infinity>
; Path for reading the query or "-" for reading from stdin.
;read = "-"
; The `vast export ascii` command exports events formatted in a plain-text
; format that is internal to VAST.
ascii {
; Path to write events to or "-" for writing to stdout.
;write = "-"
; Treat the write option as a UNIX domain socket to connect to.
;uds = false
}
; The `vast export csv` command exports events formatted as CSV.
csv {
; For available options, see export.ascii.
}
; The `vast export json` command exports events formatted as JSONL (line-
; delimited JSON).
json {
; For additionally available options, see export.ascii.
}
; The `vast export null` command exports events from a given query without
; printing them. Used for debugging and benchmarking only.
null {
; For available options, see export.ascii.
}
; The `vast export arrow` command exports events in the Apache Arrow format.
arrow {
; For available options, see export.ascii.
}
; The `vast export pcap` command exports events in the PCAP format.
pcap {
; Flush to disk after this many packets.
;flush-interval = 10000
; For additionally available options, see export.ascii.
}
; The `vast export zeek` command exports events formatted as Zeek logs.
zeek {
; For available options, see export.ascii.
}
}
; The `vast infer` command tries to infer the schema from data.
infer {
; Path to read events from or "-" for reading from stdin.
;read = "-"
; Maximum number of bytes to buffer.
;buffer = 8192
}
; The `vast import` command imports data from stdin, files or over the network.
import {
; The maximum number of events to import.
;max-events = <infinity>
; Block until the importer forwarded all data.
;blocking = false
; Select the table slice type.
;table-slice-type = 'arrow'
; The `vast import csv` command imports data from CSVs with a known schema.
csv {
; The endpoint to listen on ("[host]:port/type").
;listen = <none>
; Path to file to read events from or "-" for stdin.
;read = "-"
; Treat the read option as a UNIX domain socket to connect to.
;uds = false
; Path to an alternate schema.
;schema-file = <none>
; An alternate schema as a string.
;schema = <none>
}
; The `vast import json` command imports data from JSONLs with a known schema.
json {
; For available options, see import.csv.
}
; The `vast import pcap` command imports PCAP logs.
pcap {
; Network interface to read packets from.
;interface = <none>
; Skip flow packets after this many bytes.
;cutoff = <infinity>
; Number of concurrent flows to track.
;max-flows = 1048576
; Maximum flow lifetime before eviction.
;max-flow-age = 60
; Flow table expiration interval.
;flow-expiry = 10
; Inverse factor by which to delay packets. For example, if 5, then for two
; packets spaced *t* seconds apart, the source will sleep for *t/5* seconds.
;pseudo-realtime-factor = 0
; Snapshot length in bytes.
;snaplen = 65535
; Disable computation of community id for every packet.
; disable-community-id = false
; For additionally available options, see import.csv.
}
; The `vast import suricata` command imports Suricata eve.json logs.
suricata {
; For available options, see import.csv.
}
; The `vast import syslog` command imports Syslog entries.
syslog {
; For available options, see import.csv.
}
; The `vast import test` command imports randomly generated events. Used for
; debugging and benchmarking only.
test {
; For available options, see import.csv.
}
; The `vast import zeek` command imports Zeek logs.
zeek {
; For available options, see import.csv.
}
}
; The `vast pivot` command extracts related events of a given type.
pivot {
; For available options, see export.pcap.
}
; The `vast status` command prints a JSON-formatted status summary of the node.
status {
; No further configuration options are available. The system options apply.
}
; The `vast start` command spins up a new node.
start {
; No further configuration options are available. The system options apply.
}
; The `vast stop` command stops the node gracefully.
stop {
; No further configuration options are available. The system options apply.
}
; The `vast version` command prints the current version of VAST.
version {
; No further configuration options are available. The system options apply.
}
; The following commands are internally used either within VAST or for
; development, debugging, and benchmarking. No documentation is provided for the
; individual commands, but all options are listed.
kill {
}
peer {
}
send {
}
spawn {
accountant {
}
archive {
;segments = 10
;max-segment-size = 128
}
consensus {
;id = 0
;store-backend = "raft"
}
exporter {
;continuous = false
;unified = false
;events = <infinity>
}
index {
;max-events = 1048576
;max-parts = 10
;taste-parts = 5
;max-queries = 10
}
profiler {
;cpu = false
;heap = false
;resolution = 1
}
source {
; Please consult the source code of VAST for all available options.
; These are mostly symmetrical with the import command.
}
sink {
; Please consult the source code of VAST for a list of available options.
; These are mostly symmetrical with the export command.
}
}
; The below settings are internal to CAF, and are not checked by VAST directly.
; Please be careful when changing these options. Note that some CAF options may
; be in conflict with VAST options, and are only listed here for completeness.
logger {
; Format for rendering individual log file entries.
; Valid format specifiers are:
; %c = logging category
; %C = class name
; %d = date
; %F = source file of the log statement
; %L = source line of the log statement
; %m = log message
; %M = source function of the log statement
; %n = newline
; %p = priority / severity of the message
; %r = time since application start
; %t = thread id
; %a = actor id
; %% = '%'
;file-format = "%r %c %p %a %t %C %M %F:%L %m%n"
; Configures the minimum severity of messages written to the log file.
; Possible values: quiet, error, warning, info, verbose, debug, trace.
; File logging is only available for commands that start a node (e.g.,
; vast start). The levels above 'verbose' are usually not available in
; release builds.
;file-verbosity = 'debug'
; Mode for console log output generation.
; Possible values: none, colored, uncolored.
;console = "colored"
; Format for printing individual log entries to the console.
; For a list of valid format specifiers, see file-format.
;console-format = "%d %m"
; Configures the minimum severity of messages written to the console.
; For a list of valid log levels, see file-verbosity.
;console-verbosity = 'info'
; Excludes listed components from logging.
;component-blacklist = ["caf", "caf_flow", "caf_stream"]
}
scheduler {
; Accepted alternative: "sharing".
;policy = "stealing";
; Configures whether the scheduler generates profiling output.
;enable-profiling = false
; Output file for profiler data (only if profiling is enabled).
;profiling-output-file = "/dev/null";
; Measurement resolution in milliseconds (only if profiling is enabled).
;profiling-resolution = 100ms
; Forces a fixed number of threads if set.
;max-threads = <number of cores>
; Maximum number of messages actors can consume in one run.
;max-throughput = <infinite>
}
; When using "stealing" as scheduler policy.
work-stealing {
; Number of zero-sleep-interval polling attempts.
;aggressive-poll-attempts = 100
; Frequency of steal attempts during aggressive polling.
;aggressive-steal-interval = 10
; Number of moderately aggressive polling attempts.
;moderate-poll-attempts = 500
; Frequency of steal attempts during moderate polling.
;moderate-steal-interval = 5
; Sleep interval between poll attempts.
;moderate-sleep-duration = 50us
; Frequency of steal attempts during relaxed polling.
;relaxed-steal-interval = 1
; Sleep interval between poll attempts.
;relaxed-sleep-duration = 10ms
}
stream {
; Processing time per batch.
;desired-batch-complexity = 50us
; Maximum delay for partial batches.
;max-batch-delay = 5ms
; Time between emitting credit.
;credit-round-interval = 10ms
}