The zeek-to-vast tool enables Zeek to speak with VAST via Broker. That is, it acts as bridge between Zeek and VAST:

              Zeek  <--->  zeek-to-vast  <--->  VAST

Note that zeek-to-vast acts as a "dumb" relay and does not contain much logic. Please consult the documentation of the Zeek package zeek-vast for concrete Zeek use cases.


First, make sure you have Zeek and Broker installed. VAST automatically builds zeek-to-vast if Broker is found during the build configuration. If you're using the configure script in this repo, the flag --with-broker=PATH allows for specifying a custom install location. PATH is either an install prefix or a build directory of a Broker repository.

Second, install the Zeek scripts via:

zkg install zeek-vast

Now you're ready to go.


As illustrated above, zeek-to-vast sits between Zeek and VAST. If Zeek and VAST run on the same machine, all you need to do is invoke the program:


VAST must be running prior to invocation. After connecting to VAST successfully, zeek-to-vast creates a Broker endpoint and waits for Zeek to connect.

Both sides can be configured separately. To configure the VAST-facing side, use the options --vast-address (or -A) and --vast-port (or -P):

# Connect to a VAST node running at
zeek-to-vast -A -P 55555

To configure the Zeek-facing side, use the options --broker-address (or -a) and --broker-port (or -p):

# Wait for Zeek to connect at
zeek-to-vast -a -p 44444
