Choosing between Fluent Bit and Fluentd is an architecture decision, not a product shootout. Both projects live under the CNCF Fluent umbrella and share a common lineage at Treasure Data, but they target different roles in a logging pipeline. Fluent Bit is a C-based telemetry agent designed for low-overhead collection at the edge. Fluentd is a Ruby-and-C data collector built for aggregation, transformation, and multi-destination routing.
The practical question is not which one is better — it’s where each one belongs in your stack, and whether you need both.
TL;DR comparison
The table below summarizes the key differences between Fluent Bit and Fluentd.
| Dimension | Fluent Bit | Fluentd |
|---|---|---|
Primary language |
C |
Ruby (performance-critical parts in C) |
Typical memory footprint |
~1 MB baseline; 15-30 MB under load (Fluent Bit docs) |
~40 MB baseline; 100 MB+ with heavy plugin use (Fluentd docs) |
Plugin model |
~80 built-in plugins compiled into the binary (fluentbit.io) |
500+ community gems installed separately (fluentd.org) |
Signal types |
Logs, metrics, and traces |
Logs (metrics via plugins) |
CNCF status |
Graduated sub-project under Fluentd |
Graduated project |
Typical deployment role |
Node-level forwarder (Kubernetes DaemonSet, edge agent) |
Central aggregator/processor |
Buffering |
Memory and filesystem; configurable backpressure with |
Memory and file-based; chunk-level retry with configurable overflow actions |
Configuration format |
Classic INI-style or YAML (v4.x) |
Ruby DSL ( |
Current version (as of early 2026) |
v4.2.x (GitHub) |
v1.19.x / Fluent Package v6 LTS (GitHub) |
License |
Apache 2.0 |
Apache 2.0 |
Architecture and deployment
Fluent Bit
Fluent Bit compiles all its plugins into a single static binary with zero external runtime dependencies. This is the core reason it stays small: no Ruby interpreter, no gem management, no dynamic plugin loading at startup. The pipeline follows a linear flow — Input → Parser → Filter → Output — with each stage running inside the same process.
Fluent Bit runs on Linux, Windows, macOS, and BSD.
In Kubernetes, teams deploy it as a DaemonSet that tails container logs via the in_tail or in_kubernetes_events input and forwards them upstream.
Since v4.0, Fluent Bit supports YAML configuration natively alongside the older INI format, and v4.2 introduced label-based direct routing for more granular control over data flow.
Fluent Bit also collects metrics and traces, positioning it as a general telemetry agent rather than a log-only forwarder. It supports OpenTelemetry input and output natively, which matters if you’re converging on OTel as a transport standard.
Fluentd
Fluentd’s architecture splits into a Ruby core and a gem-based plugin system. Inputs, filters, and outputs are separate Ruby gems that you install after deployment. This makes the plugin library large (500+ on rubygems.org) and easy for anyone with Ruby experience to extend, but it also introduces dependency management overhead: gem version conflicts, Ruby version requirements, and plugin compatibility checks on every upgrade.
Fluentd runs on Linux, Windows, and macOS. The recommended deployment path is Fluent Package (formerly td-agent), which bundles a pinned Ruby runtime and Fluentd together. Fluent Package v6 LTS, released in 2025, will be supported until at least the end of 2027.
In most architectures, Fluentd runs as a centralized aggregation tier — a small cluster of instances that receives forwarded events, applies transforms (parsing, enrichment, field renaming), and routes to one or more destinations such as Elasticsearch, S3, Kafka, or a SIEM.
Performance and resource consumption
The resource gap between the two tools is the single largest factor in the Fluent Bit vs Fluentd decision for node-level deployment.
Fluent Bit’s all-C implementation keeps its baseline memory around 1 MB and scales modestly under production load. AWS published a benchmark on their blog, comparing the Fluent Bit and Fluentd plugins for CloudWatch and Kinesis Firehose on a c5.9xlarge instance. Their results showed Fluentd consuming roughly 4x the CPU and 4-6x the memory of Fluent Bit for the same workload. A CNCF migration guide from October 2025 states that Fluent Bit can process 10-40x more log volume per unit of resource than Fluentd, depending on the plugin in use.
At scale, this gap compounds. If you run 500 Kubernetes nodes, the difference between a 15 MB agent and a 100 MB agent is ~42 GB of cluster RAM — enough to justify the engineering effort of migration on its own.
Where the comparison flips: Fluentd’s higher resource consumption buys processing flexibility. Complex transforms, conditional routing across many outputs, and Ruby-based custom logic all favor Fluentd when it runs centrally on dedicated hardware with headroom to spare. The cost of 100 MB of RAM on two or three aggregator nodes is negligible.
When both tools appear in the same pipeline, NXLog Platform can serve as an additional collection and preprocessing layer — especially useful for mixed estates that include syslog sources, Windows Event Logs, and other non-containerized inputs that neither Fluent Bit nor Fluentd handles natively without extra configuration.
Plugins and extensibility
Fluentd’s plugin count is its biggest functional advantage. With 500+ community plugins, it covers niche outputs (custom databases, legacy SIEM connectors, specialized SaaS APIs) that Fluent Bit does not. Writing a new Fluentd plugin requires Ruby knowledge and follows a well-documented class-based structure, which lowers the barrier for teams that already operate Ruby in production.
Fluent Bit ships approximately 80 built-in plugins that cover the most common inputs (tail, syslog, TCP, systemd, MQTT, OpenTelemetry) and outputs (Elasticsearch, OpenSearch, Kafka, S3, Splunk, Datadog, Loki, and others).
Because these plugins compile into the binary, they avoid the runtime overhead of dynamic loading — but adding a new plugin means writing C (or experimentally, Zig as of v4.0) and recompiling.
Fluent Bit also supports Lua-based filters for lightweight transforms without a full rebuild.
If you need a specific output connector and it only exists as a Fluentd gem, that may settle the question for your aggregation tier regardless of other factors.
Buffering, backpressure, and reliability
Both tools support memory and filesystem buffering, but the defaults and failure modes differ.
Fluent Bit exposes Mem_Buf_Limit per input, which caps how much data an input can hold before triggering backpressure.
When the limit is reached, Fluent Bit pauses ingestion from that input — it does not drop events silently, but it will stop reading until downstream catches up.
Filesystem buffering is available for persistent storage across restarts.
Fluentd uses a chunk-based buffer model.
Each output has its own buffer configuration with flush_interval, retry_max_times, overflow_action (which can throw away, block, or drop the oldest chunk), and optional file-backed persistence.
Fluentd v1.19 introduced a buffer evacuation feature that preserves failed chunks for later recovery instead of discarding them.
The operational difference: Fluent Bit’s model is simpler to configure but gives you fewer recovery options when the destination is down for an extended period. Fluentd’s model is more complex but offers finer control over what happens to data during prolonged outages. If your compliance requirements mandate zero data loss across network disruptions, Fluentd’s buffer evacuation and secondary output features provide more explicit guarantees.
Multiline parsing
Multiline log parsing (Java stack traces, Python tracebacks, Go panics) is a common source of production problems in both tools. The failure mode is the same: stack trace lines arrive as separate events, producing noise downstream and breaking correlation.
Fluent Bit supports multiline parsing through dedicated multiline parsers that you define with start and continuation patterns.
Since v2.x, Fluent Bit includes built-in multiline definitions for common formats (Java, Python, Go).
Fluentd handles multiline through the in_tail plugin’s multiline format or via the fluent-plugin-concat filter.
Neither tool solves multiline reliably under all conditions — ordering and timing in distributed systems are inherently unpredictable. The most durable mitigation is to emit structured logs (single-line JSON with embedded stack traces) at the application layer, which removes the problem from the collector entirely.
Use-case scenarios
Kubernetes-native platform team, 500 nodes, 1 TB/day, 3 SREs. Fluent Bit as a DaemonSet on every node, forwarding to a central destination (Elasticsearch, Loki, or a managed service). The memory savings at 500 nodes are significant, and the team avoids managing Ruby dependencies on every node. If routing logic is complex, add a small Fluentd aggregation tier centrally.
Regulated enterprise, 200 GB/day, mixed OS estate (Linux, Windows, network devices), 2 ops engineers. Fluentd centrally for its plugin breadth and buffer guarantees, with lightweight forwarders at the edge. For Windows Event Log and syslog collection where native coverage matters, NXLog Platform can collect and normalize events before forwarding to the Fluentd aggregation layer — reducing the configuration burden on the central tier.
Startup, 50 GB/day, Kubernetes-only, 1 engineer. Fluent Bit directly to a managed log backend (Datadog, Grafana Cloud, or AWS CloudWatch). No aggregation tier needed. Keep the pipeline as simple as possible.
Large SOC, 5 TB/day, multiple SIEM destinations, dedicated logging team. Fluent Bit on nodes for collection, Fluentd centrally for conditional routing to different SIEMs by log type. This is the classic forwarder-aggregator pattern, and it works because each tool operates in its strength zone. Teams with heterogeneous log sources (syslog appliances, Windows servers, cloud audit logs) can add NXLog Platform as a normalization layer before the Fluentd tier.
Migration from legacy Fluentd-everywhere deployment. Run Fluent Bit in parallel on nodes, compare output schema and volume against existing Fluentd forwarders, and cut over per namespace. Expect the migration to involve config translation and plugin parity checks — not a drop-in replacement.
Conclusion
The Fluent Bit vs Fluentd decision maps cleanly to the pipeline role.
For node-level collection — Kubernetes DaemonSets, edge agents, resource-constrained hosts — Fluent Bit is the stronger choice. Its C-based binary, sub-30 MB working memory, and native OTel support make it the more efficient forwarder at scale. If your environment is Kubernetes-only and your routing rules are straightforward, Fluent Bit alone may be sufficient end to end.
For central aggregation and processing — complex transforms, multi-destination routing, integration with niche systems — Fluentd remains the more flexible option. Its plugin library covers more destinations, its Ruby-based extensibility lowers the barrier for custom logic, and its buffer management offers stronger data preservation during outages. The operational cost is higher (Ruby dependency management, larger memory footprint), but that cost is isolated to a small number of central nodes.
For mixed estates that combine Kubernetes, bare-metal Linux, Windows, and network devices, the forwarder-aggregator pattern (Fluent Bit on nodes, Fluentd centrally) handles most requirements. Where heterogeneous source types need consistent parsing before reaching the aggregation tier, a dedicated collection layer is worth evaluating.
The worst outcome is deploying complex processing logic on every node. Keep agents light, centralize routing, and treat multiline parsing and buffer behavior as testable requirements — not assumptions.
