Fluent Bit vs Fluentd vs Vector β Log Collectors for Kubernetes 2026
Choosing a log collector for Kubernetes? Fluent Bit, Fluentd, and Vector each handle log collection differently. Here's the practical comparison with resource usage and config examples.
Every Kubernetes cluster needs log collection. Three tools dominate β and the right choice depends on your scale, complexity, and existing stack.
Quick Decision
| If you... | Use... |
|---|---|
| Want lightest resource footprint | Fluent Bit |
| Need complex routing/transformation | Fluentd |
| Want modern config + multi-source | Vector |
| Already on Datadog/Splunk | Fluent Bit β their backend |
| Self-hosted Loki stack | Fluent Bit (Grafana maintained) |
Fluent Bit
Written in C. Minimal memory footprint. Designed for edge and containers.
Resource Usage
- Memory: 1β5 MB per node (vs Fluentd's 50β100 MB)
- CPU: Very low
- Image size: ~20 MB
Kubernetes DaemonSet
# Minimal Fluent Bit config for Kubernetes β Loki
apiVersion: v1
kind: ConfigMap
metadata:
name: fluent-bit-config
namespace: logging
data:
fluent-bit.conf: |
[SERVICE]
Flush 1
Log_Level info
Parsers_File parsers.conf
[INPUT]
Name tail
Tag kube.*
Path /var/log/containers/*.log
Parser docker
DB /var/log/flb_kube.db
Mem_Buf_Limit 5MB
Skip_Long_Lines On
Refresh_Interval 10
[FILTER]
Name kubernetes
Match kube.*
Kube_URL https://kubernetes.default.svc:443
Merge_Log On
Keep_Log Off
K8S-Logging.Parser On
[OUTPUT]
Name loki
Match kube.*
Host loki.logging.svc.cluster.local
Port 3100
Labels job=fluentbit, namespace=$kubernetes['namespace_name']
Auto_kubernetes_labels Onhelm repo add fluent https://fluent.github.io/helm-charts
helm install fluent-bit fluent/fluent-bit \
-n logging --create-namespace \
-f fluent-bit-values.yamlStrengths
- Lowest resource usage of the three
- Grafana maintains official KubernetesβLoki integration
- Fast Lua filter for custom transformations
- Built-in Kubernetes metadata enrichment
Weaknesses
- Ruby-style plugins not available
- Complex routing requires workarounds
- Less flexible than Fluentd for complex transformations
Fluentd
Written in Ruby. Battle-tested since 2011. 1,000+ plugins.
Resource Usage
- Memory: 50β100 MB (JRuby GC overhead)
- CPU: Moderate
- Image size: ~200 MB with common plugins
Config Example
# Fluentd config: collect, parse, enrich, route to multiple backends
<source>
@type tail
path /var/log/containers/*.log
tag kubernetes.*
<parse>
@type json
time_format %Y-%m-%dT%H:%M:%S.%NZ
</parse>
</source>
<filter kubernetes.**>
@type kubernetes_metadata
watch false
</filter>
# Route errors to Elasticsearch, all logs to S3
<match kubernetes.**>
@type copy
<store>
@type elasticsearch
host elasticsearch.logging.svc.cluster.local
port 9200
logstash_format true
<filter>
@type grep
regexp1 message ERROR|WARN
</filter>
</store>
<store>
@type s3
s3_bucket my-logs-bucket
s3_region us-east-1
path logs/%Y/%m/%d/
<buffer time>
timekey 1h
timekey_wait 10m
</buffer>
</store>
</match>Strengths
- 1,000+ plugins (Elasticsearch, Kafka, Kinesis, Splunk, everything)
- Complex routing, filtering, transformation
- Best choice for heterogeneous log destinations
- Huge community, mature
Weaknesses
- High memory usage β not great for many small nodes
- Ruby gems can conflict
- Slower config iteration vs modern tools
Best for
Teams with complex routing requirements or specific plugin needs.
Vector
Written in Rust. Modern architecture. Handles logs AND metrics AND traces.
Resource Usage
- Memory: 10β30 MB (Rust efficiency)
- CPU: Very efficient
- Image size: ~100 MB (includes all functionality)
Config Example
# Vector config: TOML-based, composable
[sources.kubernetes_logs]
type = "kubernetes_logs"
[transforms.enrich]
type = "remap"
inputs = ["kubernetes_logs"]
source = '''
# VRL (Vector Remap Language) β powerful transformation
.namespace = .kubernetes.pod_namespace
.pod = .kubernetes.pod_name
.container = .kubernetes.container_name
# Parse JSON logs if they exist
if is_string(.message) {
parsed, err = parse_json(.message)
if err == null {
.message = parsed
}
}
'''
[transforms.filter_noise]
type = "filter"
inputs = ["enrich"]
condition = '!includes(["healthz", "/metrics"], .message.path ?? "")'
[sinks.loki]
type = "loki"
inputs = ["filter_noise"]
endpoint = "http://loki.logging.svc.cluster.local:3100"
labels.namespace = "{{ namespace }}"
labels.pod = "{{ pod }}"
[sinks.s3_archive]
type = "aws_s3"
inputs = ["filter_noise"]
bucket = "my-logs-archive"
region = "us-east-1"
key_prefix = "logs/{{ namespace }}/{{ now() | strftime(\"%Y/%m/%d\") }}/"
compression = "gzip"Strengths
- Modern Rust implementation = low memory, high throughput
- VRL (Vector Remap Language) β most powerful transformation DSL
- Handles logs + metrics + traces in one binary
- Excellent observability of the pipeline itself (internal metrics)
- Active development, growing fast
Weaknesses
- Smaller plugin ecosystem than Fluentd
- VRL has a learning curve
- Newer, less battle-tested than Fluentd
Best for
New deployments, teams wanting a modern unified observability pipeline.
Resource Comparison (per node, typical Kubernetes workload)
| Fluent Bit | Fluentd | Vector | |
|---|---|---|---|
| Memory | 2β5 MB | 50β100 MB | 10β30 MB |
| CPU (idle) | 0.01 cores | 0.05 cores | 0.02 cores |
| Startup time | Fast | Slow (JRuby) | Fast |
| Throughput | 100K events/s | 10K events/s | 1M events/s |
My recommendation for 2026:
- Fluent Bit for most Kubernetes clusters β lowest overhead, great Loki integration, Grafana maintained
- Vector for new projects wanting a unified telemetry pipeline
- Fluentd when you need a specific plugin that doesn't exist elsewhere
Learn log aggregation setup on Kubernetes at KodeKloud.
Today I Fixed
Short real fixes from production β posted daily
Stay ahead of the curve
Get the latest DevOps, Kubernetes, AWS, and AI/ML guides delivered straight to your inbox. No spam β just practical engineering content.
Related Articles
AI-Powered Kubernetes Anomaly Detection: Beyond Static Thresholds
Static alerts miss 40% of real incidents. Learn how AI and ML-based anomaly detection β using tools like Prometheus + ML, Dynatrace, and custom LLM runbooks β catches what thresholds can't.
Build an AI-Powered SLO Breach Predictor with Claude and Prometheus
Build an SLO breach predictor that reads error budget burn rate from Prometheus, uses Claude to analyze patterns, and sends Slack alerts before SLOs breach β not after.
Build an AI Alert Classifier for Grafana Using LLMs (2026)
Tired of noisy Grafana alerts that wake you up for nothing? Build an AI layer that classifies incoming alerts as actionable or noise, enriches them with context, and routes them intelligently β using Claude or GPT-4 as the reasoning engine.