Vector: A Log Agent Worth Trying
Actualizado: 2026-05-03
Vector, the Datadog observability agent, reached version 1.0 in 2022 and has matured through 2023 and 2024 into a serious option against Fluent Bit, Fluentd, and Logstash. Written in Rust, with its own transformation language called VRL, and support for dozens of sources and destinations, it occupies a specific niche: complex log and metric transformations at the node, before sending to destination.
Key takeaways
- Vector is Rust-based: typically 30-100 MB memory in operation, more than Fluent Bit but far less than Logstash (JVM).
- VRL (Vector Remap Language) is the differentiator: expressive transformations with typing, error handling, and integrated unit testing.
- The same agent handles logs, metrics, and traces from dozens of sources to dozens of destinations.
- Genuinely open source (MPL 2.0) and works without a Datadog account.
- For simple pipelines, Fluent Bit is still lighter. Vector pays off when transformations are non-trivial.
What Distinguishes Vector
Vector’s proposition is threefold:
- Performance: written in Rust, typically consuming 30-100 MB of memory in operation — more than Fluent Bit, which is even lighter, but dramatically less than Logstash with its JVM.
- Transformations: VRL (Vector Remap Language) allows rewriting, enriching, filtering, and pivoting events with powerful declarative syntax.
- Multi-source: the same agent handles logs, metrics, and traces from dozens of origins to dozens of destinations.
Vector Remap Language
VRL is the main differentiator against Fluent Bit. While Fluent Bit uses relatively limited chained filters, Vector allows writing expressive transformations that look like code but are declarative.
The language has explicit typing, error handling, predefined functions for parsing common formats, and ability to unit-test transformations. For teams previously writing Lua scripts in Fluent Bit for the same purpose, VRL is significantly more maintainable.
Against Fluent Bit
Fair comparison acknowledges both excel in different terrain:
- Fluent Bit is lighter, has solid CNCF ecosystem and more years of production scale. It’s the default choice for simple log collection in Kubernetes with high pod density.
- Vector wins when transformations are non-trivial — several enrichment steps, varied format parsing, complex filtering, and multiple simultaneous destinations.
Against Logstash
Logstash is the traditional Elastic stack agent. Works but has reputation of consuming quite a lot of memory — typically a gigabyte or more. For modern Kubernetes environments, Vector is natural replacement: Rust vs JVM, modern transformations vs Ruby plugins.
Typical Use Cases
Vector shines in heterogeneous-observability situations. A centralised Vector agent can consume multiple sources, normalise to a common schema, enrich with metadata, and distribute to several destinations simultaneously:
- Loki for hot logs and interactive querying.
- S3 for long-term archive.
- Datadog for executive dashboards.
- Elasticsearch for legal audit.
Honest Limitations
Vector isn’t universal replacement:
- For very simple pipelines — collect container logs and send to Loki — Fluent Bit is lighter and requires less configuration.
- For users already deep in Elastic ecosystem, Logstash may be more natural.
- VRL learning curve has real cost — a team used to Fluent Bit needs several weeks to master VRL fluently.
Conclusion
Vector is appropriate choice when observability requires non-trivial transformations and multi-source consolidation. For simple pipelines, Fluent Bit remains lighter and more pragmatic. The pragmatic decision depends on real pipeline complexity and appetite for learning VRL. For teams with mature observability already managing multiple sources and destinations, investing in Vector reduces fragmentation and improves maintainability.
