Skip to content

VAST 2020.07.28
Compare
Choose a tag to compare
@dominiklohmann dominiklohmann released this 28 Jul 11:35
2020.07.28
464f82b
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.

We’re happy to announce the monthly VAST release 2020.07.28! 🎉

Our official community chat is now tenzir.element.io. We are looking forward to engaging with our users and everybody else who is interested in our open-source projects. We chose Matrix because we want to promote an open communication platform that allows users to choose their preferred client.

FlatBuffers

We are continuing to transform the persistent state of VAST into a vendor-neutral format that supports clear versioning to simplify updates. This release adds a new dependency for this purpose: FlatBuffers. We completed the first of the three migration steps, and the team is working heavily on the two remaining steps. In this release, the archive already uses the new FlatBuffers state.

MessagePack

We have also worked on performance: our MessagePack-encoding for table slices is now open-source and the new default when Apache Arrow support is unavailable. MessagePack table slices represent events in row-major format, which is more suited for dense binary formats with little metadata, such as PCAP. Cache-friendly access patterns and a dense representation make MessagePack a good alternative to Apache Arrow for high-volume non-log data. You can enable MessagePack by setting import.table-slice-type = 'msgpack' in the configuration.

Static Binaries

To make trying out VAST easier than ever before, we now offer a statically linked binary on Linux for every commit to master, as well as for every release. Our installation instructions contain the details.

Changelog Highlights

As always, you can find the full technical scoop of what changed in our changelog. Here are the highlights:

🎁 Features

  • We open-sourced our MessagePack-based table slice implementation, which provides a compact row-oriented encoding of data. This encoding works well for binary formats (e.g., PCAP) and access patterns that involve materializing entire rows. The MessagePack table slice is the new default when Apache Arrow is unavailable. To enable parsing into MessagePack, you can pass --table-slice-type=msgpack to the import command, or set the configuration option import.table-slice-type to 'msgpack'. #975
  • Starting with this release, installing VAST on any Linux becomes significantly easier: A static binary will be provided with each release on the GitHub releases page. #966

⚠️ Changes

  • VAST now recognizes /etc/vast/schema as an additional default directory for schema files. #980
  • FlatBuffers is now a required dependency for VAST. The archive and the segment store use FlatBuffers to store and version their on-disk persistent state. #972
  • A type definition for the stats, krb5, smb, and ssh events was added to the suricata schema file. #954 #986

🐞 Bug Fixes

  • The PCAP reader now correctly shows the amount of generated events. #954
Assets 6