Install Vector and create a vector.toml configuration with a sources section; use the journald or file source to collect logs from systemd or log files
Add a transforms section with a remap transform using VRL (Vector Remap Language) to parse JSON or regex patterns: use parse_json() or parse_regex() functions to extract structured fields
Enrich logs by adding fields: use get_env_var() to add environment metadata, or use the geoip enrichment table transform to append geographic data from IP fields
Add a filter transform to drop noisy debug logs matching a condition on the log level field before forwarding to expensive sinks
Define multiple sinks: a datadog_logs sink with api_key = YOUR_KEY for operational logs, and an aws_s3 sink for long-term archive, both consuming from the same enriched transform output
Run vector validate --config vector.toml to check syntax and topology, then start with vector --config vector.toml and monitor via the internal_metrics source and Prometheus sink
Known gotchas
VRL is strict about types; accessing a field that may not exist requires the nullable access operator (.field?) or a default fallback or the transform will emit an error event instead of a log
Vector buffers events in memory by default; configure disk buffers (type = disk) for sinks with slow or unreliable downstream targets to avoid data loss on restart
The order of transforms in the topology matters only via the inputs field; Vector resolves the DAG at startup and will error on cycles, but silent mis-routing due to wrong inputs references is common
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp