open-telemetry · drewrelmas · Mar 31, 2026 · Mar 30, 2026 · Mar 30, 2026 · Mar 30, 2026
@@ -356,18 +356,17 @@ To optimize throughput and reduce per-message overhead, the receiver batches
 messages into Apache Arrow record batches before sending downstream:
 
 ```text
-+-------------------------------------------------------------+
-|                    Batching Logic                           |
-+-------------------------------------------------------------+
-|                                                             |
-|   Messages arrive  -->  ArrowRecordsBuilder  -->  Batch     |
-|                              |                     sent     |
-|                              |                              |
-|   Flush conditions:          |                              |
-|   +- Size: max_size messages +-------------------------->   |
-|   +- Time: max_batch_duration_ms  |                              |
-|                                                             |
-+-------------------------------------------------------------+
++-------------------------------------------------------------------+
+|                         Batching Logic                            |
++-------------------------------------------------------------------+
+|                                                                   |
+|   Messages arrive  -->  ArrowRecordsBuilder  -->  Batch sent      |
+|                              |                                    |
+|   Flush conditions:          |                                    |
+|   +- Size: max_size messages +------------------------------->    |
+|   +- Time: max_batch_duration_ms  +-------------------------->    |
+|                                                                   |
++-------------------------------------------------------------------+
 ```
 
 A batch is flushed when either:

@@ -568,6 +568,14 @@ impl local::Receiver<OtapPdata> for SyslogCefReceiver {
                                                                 metrics.borrow_mut().received_logs_truncated.inc();
                                                             }
 
+                                                            // TODO: When a message exceeds MAX_MESSAGE_SIZE, the truncated
+                                                            // head is emitted as one record and the remaining tail bytes become
+                                                            // a separate record with no syslog header context (severity, timestamp,
+                                                            // etc.). Consider adding fragment-correlation metadata (e.g. a shared
+                                                            // attribute linking head and tail) or synthesizing a syslog header on
+                                                            // the continuation fragment so downstream consumers can associate the
+                                                            // pieces. See https://github.com/open-telemetry/otel-arrow/pull/2452#discussion_r3004024837
+
                                                             // Strip trailing newline if present
                                                             // (Complete has it, Truncated does not)
                                                             let message_to_parse = if line_bytes.last() == Some(&b'\n') {

@@ -1,5 +1,12 @@
 # Syslog Parsing Behavior
 
+> **Developer reference** -- This document describes the internal parsing
+> behavior of the syslog CEF receiver. It is useful for contributors
+> working on the parser as well as anyone wanting to understand which
+> message formats are accepted, how edge cases are handled, and what
+> output to expect from valid and invalid input. For user-facing
+> configuration and usage, see [README.md](README.md).
+
 ## Format Detection Order
 
 The top-level `parse()` function in