See the 0.57 upgrade guide for full details and migration steps. At a glance, you are affected if you:
${VAR} interpolation in Vector configuration files: environment variable interpolation
is now disabled by default. Pass --dangerously-allow-env-var-interpolation (or set
VECTOR_DANGEROUSLY_ALLOW_ENV_VAR_INTERPOLATION=true) to restore the previous behavior.{{ field }} references in sink routing templates (object keys, file paths, HTTP headers,
table or stream names): sinks now enforce a confinement boundary and reject templates with no
literal prefix at startup. Set a static prefix in the template, or use
dangerously_allow_unconfined_template_resolution: true to opt out.See the deprecations page for all active and historical deprecations.
Placeholders (${VAR} and SECRET[backend.key]) in structural positions of
a Vector configuration file are deprecated and will be removed in a future
release. Current behavior is unchanged.
Affected patterns:
count = ${MY_COUNT}).${KEY} = value).[${SECTION}]).inputs = [${VECTOR_INPUTS}] where VECTOR_INPUTS=a,b).Migration guidance will accompany the removal PR. envsubst can be used today
to pre-expand env-var placeholders into a fully static config as a workaround.
See RFC: parse-first config interpolation for the full rationale.
The host_metrics source can now collect hardware temperature readings via a
new temperature collector. When enabled, it emits temperature_celsius,
temperature_max_celsius, and temperature_critical_celsius gauges, each
tagged with the component label of the sensor it was read from.
The collector is opt-in: add temperature to the collectors list to enable
it. Components that do not report a given value (for example a missing critical
threshold) are skipped, and environments without temperature sensors simply
produce no metrics.
reload_behavior option.Added a new counter metric component_cpu_usage_ns_total counting the CPU
time consumed by a transform in nanoseconds.
The metric is opt-in: set measure_cpu_usage: true on individual transform
configurations to enable it. When disabled (the default), no counter is
registered and no per-poll clock sampling takes place.
--chunk-size-events / VECTOR_CHUNK_SIZE_EVENTS to configure the source sender batch size and source output buffer base capacity (defaults to 1000 events).tag_cardinality_limit transform now supports mode: exact_fingerprint, a new storage
mode that can reduce memory usage for high-cardinality tag values compared to
mode: exact. Instead of storing the full tag-value strings, only a 64 bit fingerprint hash of
each value is kept. The trade-off is that throughput is slightly impacted due to extra hashing
operations, and there is technically a (unlikely) chance of collisions at very high cardinalitiesvector sink via the new routing.endpoints option, enabling built-in load_balance, failover, and failover_primary endpoint strategies across downstream Vector instances. The previous address option is now deprecated in favor of routing.endpoints.X-Amz-Firehose-Common-Attributes header in the log events for the aws_kinesis_firehose source.databricks_zerobus sink now supports a user_agent option whose value is appended to the user-agent header sent to Databricks. The header always identifies Vector (Vector/<version>); when set, the configured value is appended after it.datadog_logs sink when a field with a Datadog reserved attribute semantic meaning needs to be relocated but the destination path already exists. The log now includes source_path, destination_path, and renamed_existing_to fields to make the conflict easier to diagnose;
additionally, it will now also increment a new counter datadog_logs_reserved_attribute_conflicts_total.internal_logs source controlled by the
--internal-logs-source-rate-limit CLI option and VECTOR_INTERNAL_LOGS_SOURCE_RATE_LIMIT
environment variable. This provides the same rate limiting functionality as was available before
version 0.51.1 but with a rate limit window separate from the console one.socket source (UDP mode) now supports a multicast_interface option that controls which local network interface is used when joining multicast groups. This is useful on hosts with multiple interfaces and on macOS, where specifying 0.0.0.0 only joins on the default interface (unlike Linux, which joins on all interfaces).source send cancelled error message to point towards possible causes.
This error usually happens either because a pipeline is shutting down or because
of backpressure.cache_size_per_key option to configuration options in probabilistic mode. Previously, per-tag overrides always inherited the bloom filter cache size from the enclosing config, which could cause a higher false positive rate when the per-tag value_limit is higher than the global or per-metric value_limit. When omitted, the cache size value from the enclosing config is used. Only valid in probabilistic mode β using it in exact mode will cause a configuration error.vector sink now supports optional HTTP/2 keepalive on its pooled gRPC connections, configured via a new keepalive block (interval_secs and timeout_secs). When enabled, the sink periodically sends HTTP/2 PING frames so that a connection to a downstream Vector instance that has gone away is detected and evicted rather than reused indefinitely (which could otherwise stall delivery until the connection was replaced). Keepalive is disabled by default; when enabled, interval_secs defaults to 60 (aligned with gRPC keepalive guidance to avoid tripping too_many_pings policies) and timeout_secs defaults to 20. PINGs are sent on idle connections so an idle-but-dead connection is still detected.Improved the VRL playground UX:
vector validate --no-environment so it reports VRL and condition compilation errors for transforms without requiring full environment-dependent component initialization.logstash source to close the connection on a malformed frame instead of attempting to continue. A failed JSON decode or decompression previously left the decoder desynchronized but still running, which could busy-loop and emit ACKs for bogus sequence numbers (surfacing as invalid sequence number received on the client). The source now treats any decode error as fatal and closes the connection β matching the upstream logstash-input-beats server β so the client reconnects and retransmits the unacknowledged window.file source silently dropping all but the first member of concatenated (multi-stream) gzip files. This regression was introduced in v0.50.0.logstash source to preserve writer window boundaries when generating ACKs. This prevents batched reads from producing ACK sequences that advance past the current window, which could lead to “invalid sequence number received” errors and duplicate retransmits under load.clickhouse sink. The database and table config values are now passed as ClickHouse query parameters with the Identifier type ({database:Identifier}.{table:Identifier}), letting the server handle quoting rather than relying on client-side string escaping.vector top freezes when using a high number of components.datadog_metrics sink where the metric type name was compared against itself (instead of the peer metric) when sorting metrics before encoding. The sort key is (type_name, metric_name, timestamp), but the type comparison was a no-op, making metric_name the effective primary key. The fix restores the intended ordering.X with a regular source named X, or replacing a transform named X with a source named X), any downstream sink or transform that still reads from X now correctly reconnects to the new component instead of going silent until the next restart.reduce transform bug where a timestamp field with a name that requires quoting in a VRL path (e.g. "created.at" or "event-time") would have its _end companion silently dropped from the reduced event. The companion path is now built structurally and correctly lands next to the base field.logstash source to ACK only completed writer windows rather than
sometimes emitting a partial ACK before the window is complete. While partial
ACKs are permitted by the official protocol spec and cause no problems for the
reference go-lumber client in Beats, they appears to confuse proxies that
assume there will only be one ACK per window, causing errors on subsequent
batches.logstash source now rejects a WindowSize frame that arrives before the
current window has received all of its advertised events, closing the connection
with a fatal decode error instead of making any attempt to continue. While this
is allowed by the protocol spec, no known client makes use of this and the
reference server in go-lumber treats it as a protocol violation.aws_kinesis_firehose source no longer falls back to forwarding raw, undecoded bytes for a record that hits the decompressed-size cap under Compression::Auto; such records are now rejected instead of forwarded.zlib-rs) from 0.6.0 to 0.6.6, pulling in an upstream fix for an aarch64 NEON Adler-32 bug that could produce incorrect checksums. On arm64, valid zlib-format (RFC 1950) payloads, such as deflate content-encoding handled by HTTP-based sources, could previously be rejected as corrupt with an incorrect data check error.crit, emerg, err, info, warn) and falling back to the default informational. The encoder now accepts both short-form and full-form severity names, matching the values used by VRL’s to_syslog_severity and to_syslog_level functions.fluent source now caps how large a single msgpack frame may grow while being buffered, using the same limit, so a peer can no longer stream an oversized array/map/string without ever completing a message. Frames that exceed the limit before a complete message is decoded are now rejected and the connection is closed.vector source and the opentelemetry source’s gRPC mode now bound gRPC message size at the header read and cap gzip/zstd decompression mid-stream, matching the decompressed-size limit enforced elsewhere, so a compressed gRPC message can no longer expand past the cap during decompression before being rejected.http_server, prometheus_pushgateway, prometheus_remote_write, heroku_logs, opentelemetry) now cap decompressed request bodies at 100 MiB. Previously, a single unauthenticated request carrying a compressed payload (e.g. a gzip bomb) could allocate unbounded memory and OOM-kill the Vector process. Decompressed payloads exceeding the cap are rejected with HTTP 413, as are requests whose declared Content-Length exceeds the same limit. The cap can be raised or lowered via --max-decompressed-size-bytes (or VECTOR_MAX_DECOMPRESSED_SIZE_BYTES).logstash source now caps the size of compressed frame payloads. Previously, the 32-bit payload size field of a compressed (C) frame was read straight from the wire and used to reserve a buffer, so a 6-byte malformed frame advertising a multi-gigabyte size could trigger an allocation large enough to abort the process. The size of the decompressed output is now 100MiB by default and can be configured by --max-decompressed-size-bytes or VECTOR_MAX_DECOMPRESSED_SIZE_BYTES. Oversized frames are rejected as a decode error.logstash source now rejects compressed frames that are nested inside other compressed frames. Previously, a malicious sender could nest compressed (C) frames arbitrarily deep, driving unbounded recursion in the decoder until the process exhausted its stack and aborted. Compressed payloads may now contain only a single layer of compression; no known Lumberjack/Beats client (e.g. Filebeat) ever emits more than one.syslog sources) that occurred when an over-length, length-prefixed message was split across multiple reads. Previously the decoder could panic in debug builds, or in release builds wrap the remaining-bytes counter to a huge value, wedging the decoder and silently dropping all subsequent input on that connection.--raise-fd-limit CLI flag (or VECTOR_RAISE_FD_LIMIT environment variable)
raises the file descriptor soft limit to the hard limit at startup. This prevents
“Too many open files” errors when Vector monitors large numbers of log files. On
macOS, Vector falls back to the kernel-enforced per-process file limit if the hard
limit is too high.--max-decompressed-size-bytes or VECTOR_MAX_DECOMPRESSED_SIZE_BYTES. Affected sources: http_server, heroku_logs, prometheus_pushgateway, prometheus_remote_write, datadog_agent, splunk_hec, aws_kinesis_firehose, fluent, logstash, vector, and opentelemetry (both its HTTP and gRPC modes). The datadog_agent, splunk_hec, and aws_kinesis_firehose sources additionally now cap the size of the raw (compressed) request body they buffer in memory before decompression, matching http_server and opentelemetry; oversized requests are rejected with 413 Payload Too Large instead of being read into memory unbounded. Relatedly, zstd decoders across all affected sources now also bound the decoder’s internal window allocation, derived from the decompressed-size cap (and for HTTP-based sources, additionally clamped to the 8 MB ceiling suggested by RFC 9659), so a crafted frame can no longer declare a large Window_Size and drive a big allocation before the cap has a chance to trip.tokio tasks now correctly inherits the owning component’s tags (component_id, component_kind, component_type). Previously, several components spawned background tasks without propagating the tracing span, so some internal events emitted from those tasks were missing their component tags. Affected emissions include the datadog_logs sink’s component_discarded_events_total (events too large to encode), the gcp_pubsub source’s component_errors_total/component_discarded_events_total from its per-stream tasks, and the splunk_hec sinks’ acknowledgement-handling component_errors_total.statsd source when a gauge metric value begins with a multi-byte UTF-8 character. The invalid value now returns a parse error instead.xxhash and seahash results) to their least-significant digits. Results are now serialized with full precision instead of being coerced to JavaScript floating-point numbers.WebSocketMessageReceived internal event emitted by the websocket source: the protocol field was previously misspelled as protcol. Users filtering on this field in trace-level logs should update their queries accordingly.${VAR} references in config files automatically. To restore the previous behavior, pass --dangerously-allow-env-var-interpolation (or set VECTOR_DANGEROUSLY_ALLOW_ENV_VAR_INTERPOLATION=true). The --disable-env-var-interpolation flag and VECTOR_DISABLE_ENV_VAR_INTERPOLATION environment variable have been removed.Sinks that accept {{ field }} references in routing templates now enforce a
confinement boundary: the rendered value must stay within the literal prefix
declared in the template. Templates with no literal prefix (e.g.
key_prefix: "{{ host }}/") are rejected at startup. The file sink is the
only exception: its base_dir config field can provide an explicit
confinement root for path templates with no usable literal prefix.
Any sink that includes a templated config field can be affected.
The file sink gains a base_dir config field to set the confinement root
explicitly when the path template has no usable literal prefix.
HTTP-family templates: HTTP/HTTPS URI templates that use {{ field }}
references must not contain ? or #. A field-rendered value could smuggle
additional query parameters or fragments into the rendered URI. Fully static URI
templates (no {{ }}) with a query string or fragment are still accepted.
Dynamic query or fragment segments (e.g.
https://api.internal/ingest?tenant={{ tenant }}) are rejected at startup.
Templated request.headers values are also confined for HTTP-family sinks.
Opt-out: set dangerously_allow_unconfined_template_resolution: true on
the affected sink to disable all confinement checks for that sink β both at
startup and at runtime. Vector logs a warning per template on startup and sets
vector_security_confinement_disabled{component_type=...} to 1.
Observability:
component_errors_total{error_type="confinement_failed"} β increments on
each violation; events that trigger it are dropped.vector_security_confinement_disabled β set to 1 while a sink is running
with confinement disabled.parse_regex, allowing variables and runtime expressions to be passed as the pattern argument.strict parameter to parse_cef (default: true). When set to false, the function performs best-effort parsing of non-compliant CEF input, treating unescaped = characters within field values as literals rather than field delimiters. This improves compatibility with vendors such as Infoblox and Palo Alto Networks whose CEF output does not fully conform to the spec.parse_regex and parse_regex_all by pre-computing capture group names and indices at compile time, replacing name-based hash lookups with direct index-based access at runtime.truncate function if suffix parameter is provided.parse_regex_all when using a literal regex pattern in concurrent workloads.parse_key_value, parse_cef, decode_mime_q, and parse_ruby_hash on inputs with lines β₯ 65,535 bytes. This is a workaround until rust-bakery/nom#1867 is fixed.findβs type definition and documentation. Previously, the function advertised its return type as an integer, but never as nullable. Now it correctly states that the function returns null when value doesnβt match pattern.Sign up to receive emails on the latest Vector content and new releases
Thank you for joining our Updates Newsletter