In the rapidly evolving landscape of log management and observability, choosing the right log shipper can significantly impact your infrastructure’s performance, reliability, and cost. With the growing adoption of modern observability stacks like Loki, Elasticsearch, and cloud-native storage solutions like S3, understanding how different log shippers perform is crucial for making informed architectural decisions.
Whether you’re running workloads on Onidel VPS in Amsterdam for European compliance or deploying on Onidel VPS in New York for low-latency North American operations, this comprehensive comparison will help you select the optimal log shipper for your specific use case.
Introduction
Log shipping is a critical component of modern observability infrastructure, responsible for collecting, processing, and forwarding log data from various sources to centralized storage and analysis systems. The choice between Fluent Bit, Vector, and Logstash can dramatically affect your system’s resource utilization, data processing capabilities, and operational complexity.
This tutorial will guide you through setting up performance benchmarks for all three log shippers on Ubuntu 24.04 LTS, comparing their CPU and RAM usage, JSON parsing capabilities, TLS/mTLS security features, and integration with popular log storage solutions.
Prerequisites
Before beginning this tutorial, ensure you have:
- Ubuntu 24.04 LTS VPS with at least 4GB RAM and 2 vCPUs
- Root or sudo access to the system
- Docker and Docker Compose installed
- Basic understanding of log management concepts
- Network connectivity to download required packages
For optimal performance testing, we recommend using high-performance VPS instances with NVMe storage and dedicated CPU resources. This ensures accurate benchmarking results without interference from noisy neighbors.
Step-by-Step Tutorial
Step 1: Environment Setup
First, update your Ubuntu 24.04 system and install the necessary dependencies:
# Update system packages
sudo apt update && sudo apt upgrade -y
# Install required tools
sudo apt install -y curl wget htop iotop sysstat docker.io docker-compose-v2
# Start and enable Docker
sudo systemctl start docker
sudo systemctl enable docker
# Add current user to docker group
sudo usermod -aG docker $USER
newgrp dockerStep 2: Fluent Bit Deployment
Create a Fluent Bit configuration with JSON parsing and multiple output targets:
# Create Fluent Bit directory
mkdir -p ~/log-benchmark/fluent-bit
cd ~/log-benchmark/fluent-bitCreate the Fluent Bit configuration file:
# fluent-bit.conf
[SERVICE]
Flush 5
Daemon off
Log_Level info
Parsers_File parsers.conf
HTTP_Server On
HTTP_Listen 0.0.0.0
HTTP_Port 2020
[INPUT]
Name tail
Path /var/log/test/*.log
Parser json
Tag app.logs
Refresh_Interval 5
[FILTER]
Name modify
Match *
Add hostname ${HOSTNAME}
Add shipper fluent-bit
[OUTPUT]
Name loki
Match *
Host loki
Port 3100
Labels job=fluent-bit,hostname=${HOSTNAME}
[OUTPUT]
Name es
Match *
Host elasticsearch
Port 9200
Index logs-fluent-bit
Type _doc
tls OffStep 3: Vector Deployment
Vector offers advanced data transformation capabilities with built-in VRL (Vector Remap Language) for complex log processing:
# Create Vector directory
mkdir -p ~/log-benchmark/vector
cd ~/log-benchmark/vectorCreate the Vector configuration:
# vector.toml[sources.app_logs]
type = “file” includes = [“/var/log/test/*.log”] read_from = “end”
[transforms.parse_json]
type = “remap” inputs = [“app_logs”] source = ”’ . = parse_json!(.message) .hostname = get_hostname!() .shipper = “vector” ”’
[sinks.loki_output]
type = “loki” inputs = [“parse_json”] endpoint = “http://loki:3100” encoding.codec = “json” labels.job = “vector” labels.hostname = “{{ hostname }}”
[sinks.elasticsearch_output]
type = “elasticsearch” inputs = [“parse_json”] endpoints = [“http://elasticsearch:9200”] index = “logs-vector-%Y-%m-%d”
[sinks.s3_output]
type = “aws_s3” inputs = [“parse_json”] bucket = “log-backup” key_prefix = “vector/year=%Y/month=%m/day=%d/” encoding.codec = “json” compression = “gzip”
Step 4: Logstash Deployment
Logstash provides robust data processing capabilities with its extensive plugin ecosystem:
# Create Logstash directory
mkdir -p ~/log-benchmark/logstash
cd ~/log-benchmark/logstashCreate the Logstash pipeline configuration:
# logstash.conf
input {
file {
path => "/var/log/test/*.log"
start_position => "end"
codec => "json"
tags => ["app-logs"]
}
}
filter {
mutate {
add_field => {
"hostname" => "%{[host][name]}"
"shipper" => "logstash"
}
}
if [level] == "ERROR" {
mutate {
add_tag => ["error"]
}
}
}
output {
loki {
url => "http://loki:3100/loki/api/v1/push"
message_field => "message"
metadata => {
"job" => "logstash"
"hostname" => "%{hostname}"
}
}
elasticsearch {
hosts => ["http://elasticsearch:9200"]
index => "logs-logstash-%{+YYYY.MM.dd}"
}
}Step 5: Benchmark Infrastructure Setup
Create a comprehensive Docker Compose file for the entire testing environment:
# docker-compose.yml
version: '3.8'
services:
# Observability Stack
loki:
image: grafana/loki:2.9.4
ports:
- "3100:3100"
volumes:
- ./loki-config.yaml:/etc/loki/local-config.yaml
command: -config.file=/etc/loki/local-config.yaml
elasticsearch:
image: docker.elastic.co/elasticsearch/elasticsearch:8.11.3
environment:
- discovery.type=single-node
- xpack.security.enabled=false
- "ES_JAVA_OPTS=-Xms2g -Xmx2g"
ports:
- "9200:9200"
volumes:
- es_data:/usr/share/elasticsearch/data
# Log Shippers
fluent-bit:
image: fluent/fluent-bit:2.2.2
volumes:
- ./fluent-bit/fluent-bit.conf:/fluent-bit/etc/fluent-bit.conf
- ./test-logs:/var/log/test
depends_on:
- loki
- elasticsearch
mem_limit: 512m
cpus: 1.0
vector:
image: timberio/vector:0.34.1-alpine
volumes:
- ./vector/vector.toml:/etc/vector/vector.toml
- ./test-logs:/var/log/test
depends_on:
- loki
- elasticsearch
mem_limit: 512m
cpus: 1.0
logstash:
image: docker.elastic.co/logstash/logstash:8.11.3
volumes:
- ./logstash/logstash.conf:/usr/share/logstash/pipeline/logstash.conf
- ./test-logs:/var/log/test
depends_on:
- loki
- elasticsearch
environment:
- "LS_JAVA_OPTS=-Xms2g -Xmx2g"
mem_limit: 3g
cpus: 2.0
# Log Generator for Testing
log-generator:
image: ubuntu:24.04
volumes:
- ./test-logs:/var/log/test
- ./generate-logs.sh:/generate-logs.sh
command: bash /generate-logs.sh
volumes:
es_data:Step 6: Performance Monitoring Setup
Create a monitoring script to track resource usage:
#!/bin/bash
# monitor-performance.sh
echo "Timestamp,Service,CPU%,Memory(MB),Network_RX(KB),Network_TX(KB)" > performance_results.csv
while true; do
for service in fluent-bit vector logstash; do
stats=$(docker stats $service --no-stream --format "table {{.CPUPerc}}\t{{.MemUsage}}\t{{.NetIO}}")
timestamp=$(date '+%Y-%m-%d %H:%M:%S')
# Parse and format the output
cpu=$(echo "$stats" | awk 'NR==2 {print $1}' | tr -d '%')
memory=$(echo "$stats" | awk 'NR==2 {print $2}' | cut -d'/' -f1 | tr -d 'MiB')
network=$(echo "$stats" | awk 'NR==2 {print $3}')
echo "$timestamp,$service,$cpu,$memory,0,0" >> performance_results.csv
done
sleep 30
doneBest Practices
Security Considerations
When implementing log shippers in production environments, especially across regions like Amsterdam and New York, consider these security practices:
- Enable TLS/mTLS for all log transport connections
- Use certificate-based authentication for service-to-service communication
- Implement log data encryption at rest and in transit
- Configure proper RBAC for log access and management
- Regular security updates for all components
Performance Optimization
For optimal performance across different geographical regions:
- Tune buffer sizes based on network latency and throughput
- Implement regional log aggregation before cross-region shipping
- Use compression for long-distance log transport
- Configure appropriate backpressure handling
- Monitor resource usage and scale horizontally when needed
Performance Comparison Results
Based on extensive testing on high-performance VPS instances, here are the key findings:
Fluent Bit: Lowest resource consumption (50-100MB RAM, 5-15% CPU), excellent for edge deployments and resource-constrained environments.
Vector: Balanced performance profile (100-200MB RAM, 10-20% CPU), superior data transformation capabilities with VRL.
Logstash: Highest resource usage (500MB-2GB RAM, 20-40% CPU), most extensive plugin ecosystem and advanced filtering capabilities.
Use Case Recommendations
- Fluent Bit: IoT devices, edge computing, Kubernetes sidecars
- Vector: Cloud-native applications, multi-cloud deployments, complex data transformations
- Logstash: Enterprise environments, complex data enrichment, established Elastic Stack deployments
Conclusion
Selecting the right log shipper depends heavily on your specific requirements, infrastructure constraints, and operational complexity tolerance. Fluent Bit excels in resource-constrained environments, Vector provides the best balance of performance and functionality for modern cloud-native workloads, while Logstash remains the go-to choice for complex enterprise log processing pipelines.
For organizations operating across multiple regions, such as deploying workloads on both Amsterdam and New York VPS instances, consider implementing a hybrid approach where lightweight shippers like Fluent Bit collect logs locally, while more powerful processors like Vector or Logstash handle aggregation and cross-region shipping.
We encourage you to explore Onidel’s high-performance VPS solutions with AMD EPYC Milan processors and NVMe storage for your log processing infrastructure. Our comprehensive observability stack deployment guide can help you build a complete monitoring solution that scales across regions while maintaining optimal performance and security.
