Vector v0.57.0 release notes

Breaking Changes

See the 0.57 upgrade guide for full details and migration steps. At a glance, you are affected if you:

  • rely on ${VAR} interpolation in Vector configuration files: environment variable interpolation is now disabled by default. Pass --dangerously-allow-env-var-interpolation (or set VECTOR_DANGEROUSLY_ALLOW_ENV_VAR_INTERPOLATION=true) to restore the previous behavior.
  • use {{ field }} references in sink routing templates (object keys, file paths, HTTP headers, table or stream names): sinks now enforce a confinement boundary and reject templates with no literal prefix at startup. Set a static prefix in the template, or use dangerously_allow_unconfined_template_resolution: true to opt out.

Deprecation Announcements

See the deprecations page for all active and historical deprecations.

Environment-variable and secret placeholders in non-string positions

Placeholders (${VAR} and SECRET[backend.key]) in structural positions of a Vector configuration file are deprecated and will be removed in a future release. Current behavior is unchanged.

Affected patterns:

  • Unquoted placeholders in non-string fields (count = ${MY_COUNT}).
  • Placeholders in map keys (${KEY} = value).
  • Placeholders in TOML table headers ([${SECTION}]).
  • Placeholders as inline array elements that expand to multiple values (inputs = [${VECTOR_INPUTS}] where VECTOR_INPUTS=a,b).

Migration guidance will accompany the removal PR. envsubst can be used today to pre-expand env-var placeholders into a fully static config as a workaround.

See RFC: parse-first config interpolation for the full rationale.

Upgrading Vector
When upgrading, we recommend stepping through minor versions as these can each contain breaking changes while Vector is pre-1.0. These breaking changes are noted in their respective upgrade guides.

Vector Changelog

7 new features

  • The host_metrics source can now collect hardware temperature readings via a new temperature collector. When enabled, it emits temperature_celsius, temperature_max_celsius, and temperature_critical_celsius gauges, each tagged with the component label of the sensor it was read from.

    The collector is opt-in: add temperature to the collectors list to enable it. Components that do not report a given value (for example a missing critical threshold) are skipped, and environments without temperature sensors simply produce no metrics.


    Thanks to somaz94 for contributing this change!
  • Added a way to keep memory enrichment table state between configuration reloads, using the new reload_behavior option.
    Thanks to esensar, Quad9DNS for contributing this change!
  • Added support for configuring gRPC source maximum connection age, allowing long-lived client connections to be gracefully recycled for better load balancer distribution.
    Thanks to fpytloun for contributing this change!
  • Added a new counter metric component_cpu_usage_ns_total counting the CPU time consumed by a transform in nanoseconds.

    The metric is opt-in: set measure_cpu_usage: true on individual transform configurations to enable it. When disabled (the default), no counter is registered and no per-poll clock sampling takes place.


    Thanks to gwenaskell for contributing this change!
  • Add --chunk-size-events / VECTOR_CHUNK_SIZE_EVENTS to configure the source sender batch size and source output buffer base capacity (defaults to 1000 events).
    Thanks to sakateka for contributing this change!
  • The tag_cardinality_limit transform now supports mode: exact_fingerprint, a new storage mode that can reduce memory usage for high-cardinality tag values compared to mode: exact. Instead of storing the full tag-value strings, only a 64 bit fingerprint hash of each value is kept. The trade-off is that throughput is slightly impacted due to extra hashing operations, and there is technically a (unlikely) chance of collisions at very high cardinalities
    Thanks to ArunPiduguDD for contributing this change!
  • Add support for configuring multiple endpoints in the vector sink via the new routing.endpoints option, enabling built-in load_balance, failover, and failover_primary endpoint strategies across downstream Vector instances. The previous address option is now deprecated in favor of routing.endpoints.
    Thanks to fpytloun for contributing this change!

10 enhancements

  • Adds support for including attributes from the X-Amz-Firehose-Common-Attributes header in the log events for the aws_kinesis_firehose source.
    Thanks to tchanturia for contributing this change!
  • The databricks_zerobus sink now supports a user_agent option whose value is appended to the user-agent header sent to Databricks. The header always identifies Vector (Vector/<version>); when set, the configured value is appended after it.
    Thanks to flaviocruz for contributing this change!
  • Optional Arrow IPC compression for Flight payloads. Defaults to no compression.
    Thanks to flaviofcruz for contributing this change!
  • Improved the warning log emitted by the datadog_logs sink when a field with a Datadog reserved attribute semantic meaning needs to be relocated but the destination path already exists. The log now includes source_path, destination_path, and renamed_existing_to fields to make the conflict easier to diagnose; additionally, it will now also increment a new counter datadog_logs_reserved_attribute_conflicts_total.
    Thanks to gwenaskell for contributing this change!
  • Add support for optionally applying rate limiting to the internal_logs source controlled by the --internal-logs-source-rate-limit CLI option and VECTOR_INTERNAL_LOGS_SOURCE_RATE_LIMIT environment variable. This provides the same rate limiting functionality as was available before version 0.51.1 but with a rate limit window separate from the console one.
    Thanks to bruceg for contributing this change!
  • The socket source (UDP mode) now supports a multicast_interface option that controls which local network interface is used when joining multicast groups. This is useful on hosts with multiple interfaces and on macOS, where specifying 0.0.0.0 only joins on the default interface (unlike Linux, which joins on all interfaces).
    Thanks to thomasqueirozb for contributing this change!
  • Updated the source send cancelled error message to point towards possible causes. This error usually happens either because a pipeline is shutting down or because of backpressure.
    Thanks to clementd-dd for contributing this change!
  • Adds a per-tag cache_size_per_key option to configuration options in probabilistic mode. Previously, per-tag overrides always inherited the bloom filter cache size from the enclosing config, which could cause a higher false positive rate when the per-tag value_limit is higher than the global or per-metric value_limit. When omitted, the cache size value from the enclosing config is used. Only valid in probabilistic mode β€” using it in exact mode will cause a configuration error.
    Thanks to ArunPiduguDD for contributing this change!
  • The vector sink now supports optional HTTP/2 keepalive on its pooled gRPC connections, configured via a new keepalive block (interval_secs and timeout_secs). When enabled, the sink periodically sends HTTP/2 PING frames so that a connection to a downstream Vector instance that has gone away is detected and evicted rather than reused indefinitely (which could otherwise stall delivery until the connection was replaced). Keepalive is disabled by default; when enabled, interval_secs defaults to 60 (aligned with gRPC keepalive guidance to avoid tripping too_many_pings policies) and timeout_secs defaults to 20. PINGs are sent on idle connections so an idle-but-dead connection is still detected.
    Thanks to graphcareful for contributing this change!
  • Improved the VRL playground UX:

    • Added resizable panels via draggable gutters.
    • Added a dark/light/system theme toggle that syncs with the OS preference.
    • Added run history persisted in localStorage, with a clear button.
    • Added a Shift+Enter shortcut to run the program.
    • The Share button now copies the shareable URL to the clipboard.
    • Various visual polish (unified header, purple accents, tightened spacing).

    Thanks to pront for contributing this change!

28 bug fixes

  • Fixed vector validate --no-environment so it reports VRL and condition compilation errors for transforms without requiring full environment-dependent component initialization.
    Thanks to pront for contributing this change!
  • Fixed the logstash source to close the connection on a malformed frame instead of attempting to continue. A failed JSON decode or decompression previously left the decoder desynchronized but still running, which could busy-loop and emit ACKs for bogus sequence numbers (surfacing as invalid sequence number received on the client). The source now treats any decode error as fatal and closes the connection β€” matching the upstream logstash-input-beats server β€” so the client reconnects and retransmits the unacknowledged window.
    Thanks to graphcareful for contributing this change!
  • Fixed the file source silently dropping all but the first member of concatenated (multi-stream) gzip files. This regression was introduced in v0.50.0.
    Thanks to thomasqueirozb for contributing this change!
  • Added support for DOQ socket protocol in dnstap source. This will prevent error messages when DOQ traffic is encountered.
    Thanks to esensar, Quad9DNS for contributing this change!
  • Fixed the logstash source to preserve writer window boundaries when generating ACKs. This prevents batched reads from producing ACK sequences that advance past the current window, which could lead to “invalid sequence number received” errors and duplicate retransmits under load.
    Thanks to bruceg for contributing this change!
  • Fixed SQL injection via identifier names in the clickhouse sink. The database and table config values are now passed as ClickHouse query parameters with the Identifier type ({database:Identifier}.{table:Identifier}), letting the server handle quoting rather than relying on client-side string escaping.
    Thanks to pront, thomasqueirozb for contributing this change!
  • Fixed vector top freezes when using a high number of components.
    Thanks to esensar, Quad9DNS for contributing this change!
  • Fixed a bug in the datadog_metrics sink where the metric type name was compared against itself (instead of the peer metric) when sorting metrics before encoding. The sort key is (type_name, metric_name, timestamp), but the type comparison was a no-op, making metric_name the effective primary key. The fix restores the intended ordering.
    Thanks to gwenaskell for contributing this change!
  • Fixed a config reload bug that could silently stop event delivery. If a reload changes a component’s kind while keeping the same name (for example, replacing an enrichment table’s derived source named X with a regular source named X, or replacing a transform named X with a source named X), any downstream sink or transform that still reads from X now correctly reconnects to the new component instead of going silent until the next restart.
    Thanks to pront for contributing this change!
  • Fixed a reduce transform bug where a timestamp field with a name that requires quoting in a VRL path (e.g. "created.at" or "event-time") would have its _end companion silently dropped from the reduced event. The companion path is now built structurally and correctly lands next to the base field.
    Thanks to pront for contributing this change!
  • Fixed the logstash source to ACK only completed writer windows rather than sometimes emitting a partial ACK before the window is complete. While partial ACKs are permitted by the official protocol spec and cause no problems for the reference go-lumber client in Beats, they appears to confuse proxies that assume there will only be one ACK per window, causing errors on subsequent batches.
    Thanks to bruceg for contributing this change!
  • The logstash source now rejects a WindowSize frame that arrives before the current window has received all of its advertised events, closing the connection with a fatal decode error instead of making any attempt to continue. While this is allowed by the protocol spec, no known client makes use of this and the reference server in go-lumber treats it as a protocol violation.
    Thanks to bruceg for contributing this change!
  • The aws_kinesis_firehose source no longer falls back to forwarding raw, undecoded bytes for a record that hits the decompressed-size cap under Compression::Auto; such records are now rejected instead of forwarded.
    Thanks to thomasqueirozb for contributing this change!
  • Updated the zlib backend (zlib-rs) from 0.6.0 to 0.6.6, pulling in an upstream fix for an aarch64 NEON Adler-32 bug that could produce incorrect checksums. On arm64, valid zlib-format (RFC 1950) payloads, such as deflate content-encoding handled by HTTP-based sources, could previously be rejected as corrupt with an incorrect data check error.
    Thanks to Stunned1 for contributing this change!
  • Fixed the syslog codec silently ignoring short-form severity keywords (crit, emerg, err, info, warn) and falling back to the default informational. The encoder now accepts both short-form and full-form severity names, matching the values used by VRL’s to_syslog_severity and to_syslog_level functions.
    Thanks to vparfonov for contributing this change!
  • The fluent source now caps how large a single msgpack frame may grow while being buffered, using the same limit, so a peer can no longer stream an oversized array/map/string without ever completing a message. Frames that exceed the limit before a complete message is decoded are now rejected and the connection is closed.
    Thanks to thomasqueirozb for contributing this change!
  • The vector source and the opentelemetry source’s gRPC mode now bound gRPC message size at the header read and cap gzip/zstd decompression mid-stream, matching the decompressed-size limit enforced elsewhere, so a compressed gRPC message can no longer expand past the cap during decompression before being rejected.
    Thanks to thomasqueirozb for contributing this change!
  • Fix programmatic defaults for endpoint health configuration to match the documented deserialization defaults.
    Thanks to fpytloun for contributing this change!
  • HTTP-based sources (http_server, prometheus_pushgateway, prometheus_remote_write, heroku_logs, opentelemetry) now cap decompressed request bodies at 100 MiB. Previously, a single unauthenticated request carrying a compressed payload (e.g. a gzip bomb) could allocate unbounded memory and OOM-kill the Vector process. Decompressed payloads exceeding the cap are rejected with HTTP 413, as are requests whose declared Content-Length exceeds the same limit. The cap can be raised or lowered via --max-decompressed-size-bytes (or VECTOR_MAX_DECOMPRESSED_SIZE_BYTES).
    Thanks to pront, thomasqueirozb for contributing this change!
  • The logstash source now caps the size of compressed frame payloads. Previously, the 32-bit payload size field of a compressed (C) frame was read straight from the wire and used to reserve a buffer, so a 6-byte malformed frame advertising a multi-gigabyte size could trigger an allocation large enough to abort the process. The size of the decompressed output is now 100MiB by default and can be configured by --max-decompressed-size-bytes or VECTOR_MAX_DECOMPRESSED_SIZE_BYTES. Oversized frames are rejected as a decode error.
    Thanks to thomasqueirozb for contributing this change!
  • The logstash source now rejects compressed frames that are nested inside other compressed frames. Previously, a malicious sender could nest compressed (C) frames arbitrarily deep, driving unbounded recursion in the decoder until the process exhausted its stack and aborted. Compressed payloads may now contain only a single layer of compression; no known Lumberjack/Beats client (e.g. Filebeat) ever emits more than one.
    Thanks to thomasqueirozb for contributing this change!
  • Fixed an integer underflow in the octet-counting framer (used by TCP syslog sources) that occurred when an over-length, length-prefixed message was split across multiple reads. Previously the decoder could panic in debug builds, or in release builds wrap the remaining-bytes counter to a huge value, wedging the decoder and silently dropping all subsequent input on that connection.
    Thanks to hhh6593 for contributing this change!
  • A new --raise-fd-limit CLI flag (or VECTOR_RAISE_FD_LIMIT environment variable) raises the file descriptor soft limit to the hard limit at startup. This prevents “Too many open files” errors when Vector monitors large numbers of log files. On macOS, Vector falls back to the kernel-enforced per-process file limit if the hard limit is too high.
    Thanks to vparfonov for contributing this change!
  • Sources that can decompress potentially untrusted input now cap compressed and decompressed payload sizes, preventing a small compressed payload (e.g. a gzip/zlib/zstd bomb) from allocating unbounded memory and OOM-killing the Vector process. The decompressed-output cap defaults to 100MiB and can be configured via --max-decompressed-size-bytes or VECTOR_MAX_DECOMPRESSED_SIZE_BYTES. Affected sources: http_server, heroku_logs, prometheus_pushgateway, prometheus_remote_write, datadog_agent, splunk_hec, aws_kinesis_firehose, fluent, logstash, vector, and opentelemetry (both its HTTP and gRPC modes). The datadog_agent, splunk_hec, and aws_kinesis_firehose sources additionally now cap the size of the raw (compressed) request body they buffer in memory before decompression, matching http_server and opentelemetry; oversized requests are rejected with 413 Payload Too Large instead of being read into memory unbounded. Relatedly, zstd decoders across all affected sources now also bound the decoder’s internal window allocation, derived from the decompressed-size cap (and for HTTP-based sources, additionally clamped to the 8 MB ceiling suggested by RFC 9659), so a crafted frame can no longer declare a large Window_Size and drive a big allocation before the cap has a chance to trip.
    Thanks to thomasqueirozb for contributing this change!
  • Internal telemetry (metrics and logs) emitted from work that Vector runs on spawned tokio tasks now correctly inherits the owning component’s tags (component_id, component_kind, component_type). Previously, several components spawned background tasks without propagating the tracing span, so some internal events emitted from those tasks were missing their component tags. Affected emissions include the datadog_logs sink’s component_discarded_events_total (events too large to encode), the gcp_pubsub source’s component_errors_total/component_discarded_events_total from its per-stream tasks, and the splunk_hec sinks’ acknowledgement-handling component_errors_total.
    Thanks to gwenaskell for contributing this change!
  • Fixed a potential panic in the statsd source when a gauge metric value begins with a multi-byte UTF-8 character. The invalid value now returns a parse error instead.
    Thanks to pront for contributing this change!
  • Fixed the VRL Playground truncating large integers (such as xxhash and seahash results) to their least-significant digits. Results are now serialized with full precision instead of being coerced to JavaScript floating-point numbers.
    Thanks to stigglor for contributing this change!
  • Fixed a typo in the WebSocketMessageReceived internal event emitted by the websocket source: the protocol field was previously misspelled as protcol. Users filtering on this field in trace-level logs should update their queries accordingly.
    Thanks to pront for contributing this change!

2 chore

  • Environment variable interpolation in configuration files is now disabled by default. Previously, Vector interpolated ${VAR} references in config files automatically. To restore the previous behavior, pass --dangerously-allow-env-var-interpolation (or set VECTOR_DANGEROUSLY_ALLOW_ENV_VAR_INTERPOLATION=true). The --disable-env-var-interpolation flag and VECTOR_DISABLE_ENV_VAR_INTERPOLATION environment variable have been removed.
    Thanks to thomasqueirozb for contributing this change!
  • Sinks that accept {{ field }} references in routing templates now enforce a confinement boundary: the rendered value must stay within the literal prefix declared in the template. Templates with no literal prefix (e.g. key_prefix: "{{ host }}/") are rejected at startup. The file sink is the only exception: its base_dir config field can provide an explicit confinement root for path templates with no usable literal prefix.

    Any sink that includes a templated config field can be affected.

    The file sink gains a base_dir config field to set the confinement root explicitly when the path template has no usable literal prefix.

    HTTP-family templates: HTTP/HTTPS URI templates that use {{ field }} references must not contain ? or #. A field-rendered value could smuggle additional query parameters or fragments into the rendered URI. Fully static URI templates (no {{ }}) with a query string or fragment are still accepted. Dynamic query or fragment segments (e.g. https://api.internal/ingest?tenant={{ tenant }}) are rejected at startup. Templated request.headers values are also confined for HTTP-family sinks.

    Opt-out: set dangerously_allow_unconfined_template_resolution: true on the affected sink to disable all confinement checks for that sink β€” both at startup and at runtime. Vector logs a warning per template on startup and sets vector_security_confinement_disabled{component_type=...} to 1.

    Observability:

    • component_errors_total{error_type="confinement_failed"} β€” increments on each violation; events that trigger it are dropped.
    • vector_security_confinement_disabled β€” set to 1 while a sink is running with confinement disabled.

    Thanks to pront for contributing this change!

VRL Changelog

0.34.0 (2026-07-13)

New Features

  • Added support for dynamic regex patterns in parse_regex, allowing variables and runtime expressions to be passed as the pattern argument.

PR #1809 by @thomasqueirozb

  • Add strict parameter to parse_cef (default: true). When set to false, the function performs best-effort parsing of non-compliant CEF input, treating unescaped = characters within field values as literals rather than field delimiters. This improves compatibility with vendors such as Infoblox and Palo Alto Networks whose CEF output does not fully conform to the spec.

PR #1821 by @jacklongsd

Enhancements

  • Improved performance of parse_regex and parse_regex_all by pre-computing capture group names and indices at compile time, replacing name-based hash lookups with direct index-based access at runtime.

PR #1811 by @thomasqueirozb

  • Improved performance of truncate function if suffix parameter is provided.

PR #1784 by @JakubOnderka

  • Improved performance of parse_regex_all when using a literal regex pattern in concurrent workloads.

PR #1798 by @thomasqueirozb

Fixes

  • Fixed a panic in parse_key_value, parse_cef, decode_mime_q, and parse_ruby_hash on inputs with lines β‰₯ 65,535 bytes. This is a workaround until rust-bakery/nom#1867 is fixed.

PR #1848 by @pront

  • Fixed find’s type definition and documentation. Previously, the function advertised its return type as an integer, but never as nullable. Now it correctly states that the function returns null when value doesn’t match pattern.

PR #1812 by @JakubOnderka

Download Version 0.57.0

macOS
tar.gz
Windows
zip
Windows (MSI)
msi