The AWS S3 sink stores observability events in Amazon S3 buckets. It supports automatic partitioning, multiple compression algorithms, and flexible file naming strategies.
Configuration [ sinks . s3 ] type = "aws_s3" inputs = [ "my_source" ] # S3 bucket configuration bucket = "my-logs-bucket" key_prefix = "logs/date=%F/" # AWS region region = "us-east-1" # Authentication auth.access_key_id = "${AWS_ACCESS_KEY_ID}" auth.secret_access_key = "${AWS_SECRET_ACCESS_KEY}" # Encoding and compression encoding.codec = "json" compression = "gzip" # Batching batch.max_bytes = 10485760 # 10MB batch.timeout_secs = 300
Core Parameters The S3 bucket name. Must not include a leading s3:// or trailing /. bucket = "my-logs-bucket"
Prefix to apply to all object keys. Supports template syntax and strftime date formatting. Use a trailing / to create a directory-like structure. # Date-based partitioning key_prefix = "date=%F/hour=%H/" # Hierarchical structure key_prefix = "year=%Y/month=%m/day=%d/" # Template-based key_prefix = "application_id={{ application_id }}/date=%F/" # Service-based key_prefix = "service={{ service }}/environment={{ env }}/"
AWS region where the S3 bucket is located. region = "us-east-1" region = "eu-west-1"
Custom S3-compatible endpoint (for S3-compatible storage). endpoint = "https://s3.custom.com"
Authentication The S3 sink supports multiple AWS authentication methods:
AWS access key ID for authentication.
AWS secret access key for authentication.
ARN of an IAM role to assume for authentication.
Static Credentials [ sinks . s3 . auth ] access_key_id = "${AWS_ACCESS_KEY_ID}" secret_access_key = "${AWS_SECRET_ACCESS_KEY}"
IAM Role When running on EC2, ECS, or EKS, Vector can automatically use IAM role credentials:
# No auth configuration needed - uses instance profile [ sinks . s3 ] bucket = "my-bucket" region = "us-east-1"
Assume Role [ sinks . s3 . auth ] assume_role = "arn:aws:iam::123456789012:role/VectorS3WriteRole"
External ID [ sinks . s3 . auth ] assume_role = "arn:aws:iam::123456789012:role/VectorS3WriteRole" external_id = "external-id-12345"
File Naming Timestamp format for the time component of object keys using strftime specifiers. Set to empty string to disable timestamp in filename. filename_time_format = "%s" # Unix timestamp: 1658176486 filename_time_format = "%Y%m%d%H%M%S" # 20220718203446 filename_time_format = "" # No timestamp
Append a UUID v4 token to the end of object keys to ensure uniqueness. Useful in high-volume workloads to prevent name collisions. filename_append_uuid = true # Results in: date=2022-07-18/1658176486-30f6652c-71da-4f9f-800d-a1189c47c547.log.gz
Override the file extension. By default, the extension is determined by the compression setting. filename_extension = "json" filename_extension = "log"
Encoding How events are encoded before writing to S3. Options:
json: JSON encoding (one object per line)text: Plain text (one line per event)ndjson: Newline-delimited JSONcsv: CSV formatlogfmt: Logfmt encodingavro: Apache Avro binary formatparquet: Apache Parquet columnar format [ sinks . s3 . encoding ] codec = "json"
Include only specified fields in the output. [ sinks . s3 . encoding ] codec = "json" only_fields = [ "timestamp" , "message" , "level" ]
Exclude specified fields from the output. [ sinks . s3 . encoding ] codec = "json" except_fields = [ "_metadata" , "secret_token" ]
encoding.timestamp_format
Format for timestamp fields. Options: rfc3339, unix, unix_ms, unix_ns. [ sinks . s3 . encoding ] codec = "json" timestamp_format = "unix"
Compression Compression algorithm. Options: none, gzip, zstd, snappy. Compression reduces storage costs and network bandwidth. compression = "gzip" # Good balance of speed and ratio compression = "zstd" # Better compression, slightly slower compression = "none" # No compression
Batching Configure batching to control file size and flush frequency:
batch.max_bytes
integer
default: "10485760"
Maximum size of a batch in bytes before creating a new file (10MB default). [ sinks . s3 . batch ] max_bytes = 52428800 # 50MB
Maximum time to wait before flushing a partial batch (5 minutes default). [ sinks . s3 . batch ] timeout_secs = 60 # Flush every minute
[ sinks . s3 . batch ] max_bytes = 10485760 # 10MB files timeout_secs = 300 # Flush every 5 minutes
S3 Options Advanced S3-specific options:
Canned ACL to apply to created objects. Options: private, public-read, public-read-write, authenticated-read, bucket-owner-read, bucket-owner-full-control. [ sinks . s3 . options ] acl = "bucket-owner-full-control"
S3 storage class. Options:
STANDARD: Standard storageREDUCED_REDUNDANCY: Reduced redundancyINTELLIGENT_TIERING: Automatic cost optimizationSTANDARD_IA: Infrequent accessONEZONE_IA: One zone infrequent accessGLACIER: Glacier storageGLACIER_IR: Glacier instant retrievalDEEP_ARCHIVE: Glacier deep archive [ sinks . s3 . options ] storage_class = "INTELLIGENT_TIERING"
options.server_side_encryption
Server-side encryption algorithm. Options: AES256, aws:kms. [ sinks . s3 . options ] server_side_encryption = "aws:kms"
KMS key ID for server-side encryption with KMS. Required when server_side_encryption = "aws:kms". Supports template syntax for dynamic key selection. [ sinks . s3 . options ] server_side_encryption = "aws:kms" ssekms_key_id = "arn:aws:kms:us-east-1:123456789012:key/abcd1234-..."
Tags to apply to created objects. [ sinks . s3 . options . tags ] Environment = "production" Application = "vector" CostCenter = "engineering"
Override the Content-Encoding header. [ sinks . s3 . options ] content_encoding = "gzip"
Override the Content-Type header. [ sinks . s3 . options ] content_type = "application/json"
TLS Configuration Path to CA certificate for custom endpoints. [ sinks . s3 . tls ] ca_file = "/path/to/ca.pem"
Request Configuration Request timeout in seconds.
Number of retry attempts for failed requests.
[ sinks . s3 . request ] timeout_secs = 30 retry_attempts = 3
Advanced Options Use path-style addressing (bucket in path) instead of virtual-hosted style. Required for some S3-compatible services. force_path_style = true # https://s3.custom.com/bucket/key instead of https://bucket.s3.custom.com/key
Complete Examples Basic Configuration [ sinks . s3_logs ] type = "aws_s3" inputs = [ "processed_logs" ] bucket = "my-logs-bucket" key_prefix = "logs/date=%F/" region = "us-east-1" encoding.codec = "json" compression = "gzip" [ sinks . s3_logs . batch ] max_bytes = 10485760 timeout_secs = 300
Partitioned by Service and Date [ sinks . s3_partitioned ] type = "aws_s3" inputs = [ "logs" ] bucket = "prod-logs" key_prefix = "service={{ service }}/date=%Y/%m/%d/" region = "us-west-2" auth.assume_role = "arn:aws:iam::123456789012:role/VectorRole" encoding.codec = "json" compression = "zstd" [ sinks . s3_partitioned . batch ] max_bytes = 52428800 # 50MB timeout_secs = 600
With KMS Encryption [ sinks . s3_encrypted ] type = "aws_s3" inputs = [ "sensitive_logs" ] bucket = "secure-logs-bucket" key_prefix = "encrypted/date=%F/" region = "us-east-1" encoding.codec = "json" compression = "gzip" [ sinks . s3_encrypted . options ] server_side_encryption = "aws:kms" ssekms_key_id = "arn:aws:kms:us-east-1:123456789012:key/12345678-..." storage_class = "STANDARD_IA" [ sinks . s3_encrypted . options . tags ] Classification = "confidential" Retention = "7years"
High-Volume Configuration [ sinks . s3_high_volume ] type = "aws_s3" inputs = [ "metrics" ] bucket = "metrics-bucket" key_prefix = "metrics/year=%Y/month=%m/day=%d/hour=%H/" region = "us-east-1" encoding.codec = "json" compression = "zstd" filename_time_format = "%Y%m%d%H%M%S" filename_append_uuid = true [ sinks . s3_high_volume . batch ] max_bytes = 104857600 # 100MB timeout_secs = 120 [ sinks . s3_high_volume . request ] retry_attempts = 10 timeout_secs = 120 [ sinks . s3_high_volume . options ] storage_class = "INTELLIGENT_TIERING"
S3-Compatible Storage (MinIO) [ sinks . minio ] type = "aws_s3" inputs = [ "logs" ] bucket = "vector-logs" key_prefix = "logs/" endpoint = "https://minio.example.com" region = "us-east-1" # Still required but can be any value force_path_style = true auth.access_key_id = "minioadmin" auth.secret_access_key = "minioadmin" encoding.codec = "json" compression = "gzip"
Troubleshooting Authentication Issues If you encounter authentication errors:
Verify AWS credentials are correct
Check IAM permissions include s3:PutObject on the bucket
Ensure the bucket exists and region is correct
For assume role, verify trust relationships
Object Not Created If objects aren’t appearing in S3:
Check batch timeout - may need to wait for flush
Verify bucket name and region are correct
Review Vector logs for errors
Ensure sufficient data to trigger batch
Increase batch size : Larger files reduce API callsEnable compression : Reduces upload timeAdjust timeout : Balance between latency and file sizeUse multiple sinks : Partition across buckets/prefixesChoose appropriate storage class : Consider access patterns
Best Practices
Use date-based partitioning for easier querying and lifecycle managementEnable compression to reduce storage costs (30-50% savings)Set appropriate batch sizes to balance cost and latencyUse IAM roles instead of static credentials when possibleEnable KMS encryption for sensitive dataAdd meaningful tags for cost tracking and organizationUse Intelligent-Tiering storage class for unknown access patternsConfigure S3 Lifecycle policies to archive or delete old dataEnable S3 versioning for important dataMonitor CloudWatch metrics for S3 API usage
Cost Optimization
Compression : Use gzip or zstd to reduce storage costsBatch size : Larger batches reduce PUT request costsStorage class : Use STANDARD_IA for infrequent accessLifecycle policies : Automatically transition to cheaper storagePartitioning : Makes selective deletion easier
See Also 