Fluent Bit 5.0.2: Azure Blob Path Templating, eBPF VFS Tracing, and OAuth Hardening

Fluent Bit 5.0.2 is now available, delivering targeted improvements for cloud-native observability pipelines. Released on April 1, 2026, this maintenance release focuses on three critical areas: storage output flexibility, system-level observability via eBPF, and authentication resilience. These updates reflect fluent Bit’s continued evolution as a lightweight yet powerful log processor for modern infrastructure.

Azure Blob Path Templating

The Azure Blob output plugin now supports path templating comparable to S3, letting you organize log data using variables like timestamps, container names, and custom fields. This brings parity between cloud storage backends and simplifies multi-cloud observability strategies where teams need consistent data lakes across different providers.

Prior to this release, Azure Blob users faced a limitation: blob names followed a rigid structure without the flexibility to organize by date hierarchy, application name, or custom metadata. The new templating support resolves this by introducing strftime-compatible format strings and environment variable expansion.

Example configuration:

[OUTPUT]
    Name                  azure_blob
    Match                 *
    Path                  /logs/%Y/%m/%d/%H/${HOSTNAME}/
    Container             my-container
    Account_Name          myaccount
    Shared_Key            ${AZURE_BLOB_KEY}

# Result: /logs/2026/04/01/14/server-01/app.log

This feature enables automatic partitioning by time, which significantly improves query performance when using tools like Azure Data Explorer or Databricks to analyze historical log data. Organizations can now enforce consistent retention policies at the blob container level while maintaining logical organization.

eBPF VFS Tracing for Container Security

The new in_ebpf input plugin adds VFS (Virtual File System) tracing support, enabling kernel-level visibility into file operations without the overhead of traditional kernel modules. For containerized workloads, this means tracing file opens, reads, writes, and closes across namespaces with minimal performance impact.

eBPF has become the standard for cloud-native observability, allowing safe execution of sandboxed programs in the Linux kernel. The VFS layer sits between user-space applications and the underlying filesystem implementations, meaning Fluent Bit can now monitor file activity regardless of whether files are stored on ext4, XFS, tmpfs, or network filesystems.

Practical use cases for VFS tracing include:

• Anomalous file access detection: Monitor for unexpected file reads in sensitive directories like /etc/shadow, application configuration files, or database credential stores
• Security auditing: Maintain audit trails of which processes access which files, critical for compliance requirements in regulated industries
• IO performance analysis: Identify applications causing excessive file operations that may impact node performance
• Supply chain security: Track file modifications in build environments to detect unauthorized changes

The eBPF approach offers advantages over traditional auditd: lower overhead, access to richer kernel context, and the ability to attach to probes without modifying kernel code or loading kernel modules.

OAuth2 Token Hardening

Token refresh parsing now includes hardened validation, closing edge cases in token expiration handling that could cause intermittent authentication failures during high-throughput log shipping scenarios. This improvement applies to all output plugins using OAuth2 flows including OpenTelemetry, HTTP, and cloud provider destinations.

The fix addresses race conditions where multiple concurrent refresh requests could result in expired tokens being used temporarily, causing intermittent 401 errors. Now, token state is synchronized properly, ensuring that only valid tokens are used for authentication.

Additional Bug Fixes and Improvements

• AWS Arrow compression: Proper block sizing for Arrow-based compression, improving throughput when shipping to destinations that support Apache Arrow format
• Azure Kusto stability: Fixed SIGSEGV crashes and resource handle leaks that could accumulate during long-running exports to Azure Data Explorer
• Windows build improvements: VS Build Tools installation fixes in Dockerfiles, making Windows container builds more reliable in CI/CD pipelines
• OAuth2 hardening: Better handling of malformed token responses from identity providers

Deployment and Upgrade Path

Fluent Bit 5.0.2 is a drop-in replacement for existing 5.x deployments. Container images are available via Docker Hub (fluent/fluent-bit) and GitHub Container Registry (ghcr.io/fluent/fluent-bit).

For teams planning to use eBPF VFS tracing, note the requirements:

• Privileged container access (--privileged or CAP_BPF capability)
• Linux kernel headers on the host system
• Kernel version 5.8+ recommended for full eBPF feature support
• Compatible with containerd, CRI-O, and Docker runtimes

For large-scale log aggregation deployments, the Azure Blob path templating alone can simplify data lake organization significantly, while eBPF tracing opens new avenues for security observability without requiring sidecar containers or node agents.

Sources

• Fluent Bit v5.0.2 Release Notes (GitHub, published Apr 1, 2026)
• Fluent Bit 5.0.2 Announcement (fluentbit.io)