diff --git a/services/logging/docker-compose.yml.j2 b/services/logging/docker-compose.yml.j2
index 0fa34c0e..e920d773 100644
--- a/services/logging/docker-compose.yml.j2
+++ b/services/logging/docker-compose.yml.j2
@@ -18,7 +18,7 @@ services:
           memory: 300M
           cpus: "0.1"
     networks:
-      graylog:
+      logging:
         aliases:
           - mongo # needed because of graylog configuration
 
@@ -46,7 +46,7 @@ services:
           memory: 1G
           cpus: "0.1"
     networks:
-      graylog:
+      logging:
   # Graylog: https://hub.docker.com/r/graylog/graylog/
   graylog:
     image: graylog/graylog:6.0.5
@@ -71,12 +71,18 @@ services:
     networks:
       public:
       monitoring:
-      graylog:
+      logging:
         aliases:
           - graylog
     ports:
-    - 12201:12201/udp
-    - 12202:12202/udp
+      - target: 12201
+        published: 12203
+        protocol: tcp
+        mode: host
+      - target: 12202
+        published: 12202
+        protocol: udp
+        mode: host
     deploy:
       replicas: 1
       restart_policy:
@@ -100,19 +106,23 @@ services:
         - traefik.http.middlewares.graylog_replace_regex.replacepathregex.replacement=/$${1}
         - traefik.http.routers.graylog.middlewares=ops_whitelist_ips@swarm, ops_gzip@swarm, graylog_replace_regex
   vector:
-    image: timberio/vector:0.49.X-debian
+    image: timberio/vector:0.50.X-debian
     ports:
-      - "12200:12201/udp"  # GELF input
+      - target: 12201
+        published: 12201
+        protocol: udp
+        mode: ingress
     volumes:
       - /var/run/docker.sock:/var/run/docker.sock:ro
     environment:
       - VECTOR_CONFIG=/etc/vector/vector.yaml
       - VECTOR_LOG=info
+      - VECTOR_LOG_DESTINATION=${VECTOR_LOG_DESTINATION}
     configs:
       - source: vector_config
         target: /etc/vector/vector.yaml
     deploy:
-      replicas: 0
+      replicas: 1
       resources:
         limits:
           cpus: "1.0"
@@ -121,11 +131,15 @@ services:
           memory: 256M
       labels: []
     networks:
-      - monitoring
-      - graylog
+      logging:
 
   loki:
-    image: grafana/loki:3.5.4
+    image: grafana/loki:3.5.7
+    ports:
+      - target: 3100
+        published: 12204
+        protocol: tcp
+        mode: host
     configs:
       - source: loki_config
         target: /etc/loki/loki.yaml
@@ -141,7 +155,7 @@ services:
     deploy:
       placement:
         constraints: []
-      replicas: 0
+      replicas: 1
       restart_policy:
         condition: any
         delay: 5s
@@ -172,7 +186,7 @@ volumes:
   graylog_journal:
 
 networks:
-  graylog:
+  logging:
   public:
     external: true
     name: ${PUBLIC_NETWORK}
diff --git a/services/logging/template.env b/services/logging/template.env
index cb34724b..3878dc1d 100644
--- a/services/logging/template.env
+++ b/services/logging/template.env
@@ -24,3 +24,4 @@ S3_FORCE_PATH_STYLE_LOKI=${S3_FORCE_PATH_STYLE_LOKI}
 S3_REGION_LOKI=${S3_REGION_LOKI}
 S3_SECRET_KEY_LOKI=${S3_SECRET_KEY_LOKI}
 STORAGE_DOMAIN=${STORAGE_DOMAIN}
+VECTOR_LOG_DESTINATION=${VECTOR_LOG_DESTINATION}
diff --git a/services/logging/vector.yaml b/services/logging/vector.yaml
index 16ddf97d..907f7330 100644
--- a/services/logging/vector.yaml
+++ b/services/logging/vector.yaml
@@ -1,5 +1,4 @@
-# Vector configuration to replace Fluent Bit
-# Ingests GELF logs from Docker daemon and forwards to Loki and Graylog
+# Ingests GELF logs from Docker daemon and forwards to Loki and Graylog (both over TCP)
 
 sources:
   # Receive GELF messages from Docker containers via UDP
@@ -20,10 +19,7 @@ transforms:
     type: remap
     inputs: ["docker_gelf"]
     source: |
-      if !exists(.host) {
-        .host = get_hostname!()
-      }
-
+      # Make sure to retain .host from the GELF message (originating host), do not overwrite
       # Map short_message to message for Loki compatibility
       if exists(.short_message) {
         .message = .short_message
@@ -54,17 +50,17 @@ transforms:
       .processed_by = "vector"
 
 sinks:
-  # Send to Loki
+  # Send to Loki over TCP
   loki:
     type: loki
     inputs: ["process_logs"]
-    endpoint: "http://loki:3100"
+    endpoint: "http://${VECTOR_LOG_DESTINATION:?err}:12204"
     encoding:
       codec: json
     labels:
       job: "docker"
       source: "vector"
-      # Simple field references - defaults are set in transform above
+      # Pass through the GELF 'host' field from the original log event
       host: "{{ host }}"
       container_name: "{{ container_name }}"
     # Remove label fields from the log line to avoid duplication
@@ -72,12 +68,12 @@ sinks:
     healthcheck:
       enabled: true
 
-  # Send to Graylog via GELF over UDP (not TCP with framing)
+  # Send to Graylog via GELF over TCP
   graylog:
     type: socket
     inputs: ["process_logs"]
-    address: "logging_graylog:12201"
-    mode: udp
+    address: "${VECTOR_LOG_DESTINATION:?err}:12203"
+    mode: tcp
     encoding:
       codec: gelf
     healthcheck: