Formats

A format specifies the encoding of data using two abstractions.

1. Parser: a component that turns raw bytes into structured event data
2. Printer: a component that turns structured events into raw bytes

Parsers and printers interact with their corresponding dual from a connector, as the diagram below shows:

The table below summarizes the parsers and printers that VAST currently supports:

Format	Description	Parser	Printer
Arrow	Apache Arrow IPC	❌	✅
ASCII	Textual data representation	❌	✅
CEF	Common Event Format (CEF)	✅	❌
CSV	Comma-separated Values (CSV)	✅	✅
JSON	Newline-delimited JSON (NDJSON)	✅	✅
NetFlow	NetFlow v5, v9, and IPFIX	✅	❌
PCAP	Packet handling via libpcap	✅	✅
Suricata	Suricata EVE JSON	✅	❌
Zeek	Zeek TSV logs	✅	✅
null	A null sink discards all data	❌	✅
test	Random event generator	✅	❌

The list below covers all formats that VAST supports.

📄️ Arrow

Columnar format for analytics workloads

📄️ ASCII

Typed textual data

📄️ CEF

Common Event Format — SIEM

📄️ CSV

Comma-separated values

📄️ JSON

Line-delimited JSON

📄️ NetFlow

Network traffic flow summaries

📄️ PCAP

Raw network traffic in PCAP form

📄️ Suricata

Open source NSM and IDS/IPS

📄️ Zeek

Open source network security monitor