Vector v0.55.0 release notes

The COSE team is excited to announce version 0.55.0!

Release highlights

  • New windows_event_log source that collects logs from Windows Event Log channels using the native Windows Event Log API, with pull-mode subscriptions, bookmark-based checkpointing, and configurable field filtering.
  • The aws_s3 sink now supports Apache Parquet batch encoding. Events can be written as Parquet columnar files with either an auto-generated native schema or a supplied .schema file, and configurable compression (Snappy, ZSTD, GZIP, LZ4, or none).
  • The azure_blob sink re-gains first-class Azure authentication: Azure CLI, Managed Identity, Workload Identity, and Managed Identity-based Client Assertion credential kinds are all supported again.
  • The datadog_metrics sink now defaults to the Series v2 endpoint (/api/v2/series) and uses zstd compression for Series v2 and Sketches, which should yield smaller payloads and more efficient batching and intake. A new series_api_version option (v1 or v2) is available to opt back to the legacy v1 endpoint; Series v1 continues to use zlib.
  • vector top is more trustworthy: per-output events for components with multiple output ports are now shown in the correct Events Out column, and the Memory Used column now reports disabled when the target Vector instance was started without --allocation-tracing instead of a misleading 0.
  • Better internal metrics for capacity planning and alerting:
    • New source-send latency distributions (source_send_latency_seconds, source_send_batch_latency_seconds) surface backpressure close to the source.
    • Task-transform utilization no longer counts time spent waiting on downstream components, giving a more representative view of transform saturation.
    • Fixed a regression in buffer utilization metric tracking around underflow.
  • Fixed a performance regression in the file and kubernetes_logs sources that could cause unexpectedly high CPU usage, introduced in 0.50.0.

Breaking Changes

See the 0.55 upgrade guide for full details and migration steps. At a glance, you are affected if you:

  • query or tail the Vector observability API in any way: the API has moved from GraphQL to gRPC. This includes vector top, vector tap, and anything that talked to /graphql or the /playground. The HTTP GET /health endpoint is unchanged and continues to serve Kubernetes HTTP probes as before.
  • set the top-level headers option on the http or opentelemetry sinks: it has been removed.
  • use the azure_logs_ingestion sink with Client Secret credentials: azure_credential_kind must now be set explicitly.
Upgrading Vector
When upgrading, we recommend stepping through minor versions as these can each contain breaking changes while Vector is pre-1.0. These breaking changes are noted in their respective upgrade guides.

Vector Changelog

6 new features

  • Added websocket support to the nats source and sink. The url field now supports both ws:// and wss:// protocols.
    Thanks to gedemagt for contributing this change!
  • graph.edge_attributes can now be added to transforms and sinks to add attributes to edges in graphs generated using vector graph. Memory enrichment tables are also considered for graphs, because they can have inputs and outputs.
    Thanks to esensar, Quad9DNS for contributing this change!
  • The kafka sink now supports trace events.
    Thanks to pstalmach for contributing this change!
  • Re-introduced Azure authentication support to azure_blob, including Azure CLI, Managed Identity, Workload Identity, and Managed Identity-based Client Assertion authentication types.
    Thanks to jlaundry for contributing this change!

  • Add Apache Parquet batch encoding support for the aws_s3 sink with flexible schema definitions.

    Events can now be encoded as Parquet columnar files with multiple schema input options:

    • Native Parquet schema — automatically generate a schema or supply .schema file
    • Configurable compression - (Snappy, ZSTD, GZIP, LZ4, None).

    Enable the codecs-parquet feature and configure batch_encoding with codec = "parquet" in the S3 sink configuration.


    Thanks to szibis, petere-datadog for contributing this change!
  • Added a new windows_event_log source that collects logs from Windows Event Log channels using the native Windows Event Log API with pull-mode subscriptions, bookmark-based checkpointing, and configurable field filtering.
    Thanks to tot19 for contributing this change!

11 enhancements

  • vector source: Implement standard gRPC health checking protocol (grpc.health.v1.Health) alongside the existing custom health check endpoint. This enables compatibility with standard tools like grpc-health-probe for Kubernetes and other orchestration systems.

    Issue: https://github.com/vectordotdev/vector/issues/23657


    Thanks to jpds for contributing this change!
  • The geoip enrichment table now includes a network field containing the CIDR network associated with the lookup result, available for all database types (City, ISP/ASN, Connection-Type, Anonymous-IP).
    Thanks to naa0yama for contributing this change!

  • The opentelemetry source now supports independent configuration of OTLP decoding for logs, metrics, and traces. This allows more granular control over which signal types are decoded, while maintaining backward compatibility with the existing boolean configuration.

    Simple boolean form (applies to all signals) 

    use_otlp_decoding: true  # All signals preserve OTLP format
# or
use_otlp_decoding: false # All signals use Vector native format (default)

    Per-signal configuration 

    use_otlp_decoding:
  logs: false     # Convert to Vector native format
  metrics: false  # Convert to Vector native format
  traces: true    # Preserve OTLP format

    Thanks to pront for contributing this change!
  • Adds new fields to parsed dnstap data: requestMessageSize and responseMessageSize. It represents the size of the DNS message.
    Thanks to esensar, Quad9DNS for contributing this change!

  • opentelemetry source: Implemented header enrichment for OTLP metrics and traces. Unlike logs, which support enriching the event itself or its metadata, depending on log_namespace settings, for metrics and traces this setting is ignored and header values are added to the event metadata.

    Issue: https://github.com/vectordotdev/vector/issues/24619


    Thanks to ozanichkovsky for contributing this change!
  • The datadog_metrics sink now uses zstd compression when submitting metrics to the Series v2 (/api/v2/series) and Sketches endpoints. Series v1 continues to use zlib (deflate).
    Thanks to vladimir-dd for contributing this change!
  • Bumped kube dependency from 0.93.0 to 3.0.1 and k8s-openapi from 0.22.0 to 0.27.0, adding support for Kubernetes API versions up to v1.35.
    Thanks to hligit for contributing this change!
  • Added support for the ClickHouse UUID type in the ArrowStream format for the clickhouse sink. UUID columns are now automatically mapped to Arrow Utf8 and cast by ClickHouse on insert.
    Thanks to benjamin-awd for contributing this change!
  • The datadog_metrics sink now defaults to the Datadog series v2 endpoint (/api/v2/series) and exposes a new series_api_version configuration option (v1 or v2) to control which endpoint is used. Set series_api_version: v1 to fall back to the legacy v1 endpoint if needed.
    Thanks to vladimir-dd for contributing this change!
  • Sources now record the distribution metrics source_send_latency_seconds (measuring the time spent blocking on a single events chunk send operation on the output) and source_send_batch_latency_seconds (encompassing all chunks within a received events batch).
    Thanks to gwenaskell for contributing this change!
  • vector top terminal UI now shows disabled in the Memory Used column when the connected Vector instance was not started with --allocation-tracing, instead of displaying misleading zeros. A new GetAllocationTracingStatus gRPC endpoint is queried on connect to determine the status.
    Thanks to pront for contributing this change!

12 bug fixes

  • Fixed log message ordering on shutdown where Vector has stopped. was logged before components had finished draining, causing confusing output interleaved with Waiting on running components messages.

    A new VectorStopping event was added in the place of the VectorStopped event.


    Thanks to tronboto for contributing this change!
  • Fixed utilization for task transforms to not account for time spent when downstream is not polling. If the transform is frequently blocked on downstream components, the reported utilization should be lower.
    Thanks to gwenaskell for contributing this change!
  • The opentelemetry source now logs an error if it fails to start up or during runtime. This can happen when the configuration is invalid, for example trying to bind to the wrong IP or when hitting the open file limit.
    Thanks to fbs for contributing this change!
  • Fixed regression in buffer utilization metric tracking around underflow.
    Thanks to bruceg for contributing this change!
  • Reduced the memory usage in the aggregate transform where previous values were being held even if mode was not set to Diff.
    Thanks to thomasqueirozb for contributing this change!
  • Fixed vector top displaying per-output sent events in the wrong column (Bytes In instead of Events Out) for components with multiple output ports.
    Thanks to pront for contributing this change!
  • Fixed an issue in the file/kubernetes_logs source that could cause unexpectedly high CPU usage after the async file server migration.
    Thanks to fcfangcc for contributing this change!
  • datadog_agent source: Preserve device as a plain tag when decoding v2 series metrics, instead of incorrectly prefixing it as resource.device. This matches the v1 series behavior and fixes tag remapping for disk, SNMP, and other integrations that use the device resource type.
    Thanks to lisaqvu for contributing this change!
  • Fixed the Datadog sink healthcheck endpoint computation to preserve site prefixes (e.g. us3., us5., ap1.) when deriving the API URL from intake endpoints. Previously, the healthcheck for site-specific endpoints like https://http-intake.logs.us3.datadoghq.com would incorrectly call https://api.datadoghq.com instead of https://api.us3.datadoghq.com, causing unintended cross-site egress traffic.
    Thanks to vladimir-dd for contributing this change!
  • Fixed an incorrect source_lag_time_seconds measurement in sources that use send_batch with large event batches. When a batch was split into multiple chunks, the reference timestamp used to compute lag time was re-captured on each chunk send, causing the lag time for later chunks to be overstated by the amount of time spent waiting for the channel to accept earlier chunks. The reference timestamp is now captured once before iteration and shared across all chunks.
    Thanks to gwenaskell for contributing this change!
  • Fixed Windows service state checks in vector service start/stop, and made vector service stop wait until the service reaches Stopped. Added --stop-timeout to vector service stop and vector service uninstall.
    Thanks to iMithrellas for contributing this change!
  • The text content generated by the demo_logs source has changed: the pool of fake usernames and the pool of fake domain TLDs are now both defined inside Vector rather than pulled from an external crate. The line formats (apache_common, apache_error, json, syslog, bsd_syslog) are unchanged. If any of your tests or downstream pipelines assert on specific generated usernames or TLDs, please update those expectations.
    Thanks to pront for contributing this change!

3 chore

  • If using the azure_logs_ingestion sink (added in Vector 0.54.0) with Client Secret credentials, add azure_credential_kind = "client_secret_credential" under the sink’s auth block (alongside azure_tenant_id, azure_client_id, and azure_client_secret). This was previously the default, and now must be explicitly configured. See the 0.55 upgrade guide for an example.
    Thanks to jlaundry for contributing this change!

  • The Vector observability API has been migrated from GraphQL to gRPC for improved performance, efficiency and maintainability. The vector top and vector tap commands continue to work as before, as they have been updated to use the new gRPC API internally. The gRPC service definition is available in proto/vector/observability.proto.

    Note: vector top and vector tap from version 0.55.0 or later are not compatible with Vector instances running earlier versions.

    • Remove the api.graphql and api.playground fields from your config. Vector now rejects configs that contain them.

    • If you use vector top or vector tap with an explicit --url, remove the /graphql path suffix:

    # Old
vector top --url http://localhost:8686/graphql

# New (the gRPC API listens at the root)
vector top --url http://localhost:8686
    • The GraphQL API (HTTP endpoint /graphql, WebSocket subscriptions, and the GraphQL Playground at /playground) has been removed. You can interact with the new gRPC API using tools like grpcurl:
    # Check health (standard gRPC health check, compatible with Kubernetes gRPC probes)
grpcurl -plaintext localhost:8686 grpc.health.v1.Health/Check

# List components
grpcurl -plaintext localhost:8686 vector.observability.v1.ObservabilityService/GetComponents

# Stream events (tap) — limit and interval_ms are required and must be >= 1
grpcurl -plaintext \
  -d '{"outputs_patterns": ["*"], "limit": 100, "interval_ms": 500}' \
  localhost:8686 vector.observability.v1.ObservabilityService/StreamOutputEvents

    Thanks to pront for contributing this change!
  • The headers option has been removed from the http and opentelemetry sinks. Use request.headers instead. On the opentelemetry sink, request is nested under protocol; see the 0.55 upgrade guide for examples. This option has been deprecated since v0.33.0.
    Thanks to thomasqueirozb for contributing this change!

VRL Changelog

[0.32.0 (2026-04-16)]

New Features

  • Added a new encode_csv function that encodes an array of values into a CSV-formatted string. This is the inverse of the existing parse_csv function and supports an optional single-byte delimiter (defaults to ,).

authors: armleth (https://github.com/vectordotdev/vrl/pull/1649)

  • Added to_entries and from_entries with jq-compatible behavior: to_entries supports both objects and arrays, and from_entries accepts key/Key/name/Name and value/Value aliases.

authors: close2code-palm (https://github.com/vectordotdev/vrl/pull/1653)

Enhancements

  • Added except parameter to flatten function to exclude specific keys from being flattened.

authors: benjamin-awd (https://github.com/vectordotdev/vrl/pull/1682)

Fixes

  • Fixed a bug where the REPL input validator was executing programs instead of only compiling them, causing functions with side effects (e.g. http_request) to run twice per submission.

authors: prontidis (https://github.com/vectordotdev/vrl/pull/1701)

[0.31.0 (2026-03-05)]

Download Version 0.55.0

Linux
tar.gz
ARM64 ARMv7 x86_64
Linux (deb)
deb
ARM64 ARMv7 x86_64
Linux (rpm)
rpm
ARM64 ARMv7 x86_64
macOS
tar.gz
ARM64
Windows
zip
x86_64
Windows (MSI)
msi
x86_64
browse all files...