out_cloudwatch_logs: increase MAX_EVENT_LEN to 1MB with tests

[ShelbyZ]

Summary

CloudWatch logs PutLogEvents API change in 2025 to support events up to 1MB (ref) while our defaults reflect the older value 256KB.

Add runtime tests to validate the new limit:

• event_size_near_limit: Validates events just under 1MB are accepted
• event_size_at_aws_max: Validates events near AWS max are truncated
• event_truncation_with_backslash: Validates backslash handling at truncation boundary

---

Enter [N/A] in the box, if an item is not applicable to your change.

Testing
Before we can approve your change; please submit the following in a comment:

• [N/A] Example configuration file for the change
• Debug log output from testing the change

Gist: https://gist.github.com/ShelbyZ/76bfac405e03723efeb532a48d5b6a87

Over-limit on current logs

2025-11-13T04:37:45.155000+00:00 fluent-bit/log-router/b5075d48a899473fb8e8acc51e786ac2 [2025/11/13 04:37:45.155344086] [ warn] [output:cloudwatch_logs:app-logs-output] [size=1047894] Truncating event which is larger than max size allowed by CloudWatch
2025-11-13T04:37:45.155000+00:00 fluent-bit/log-router/b5075d48a899473fb8e8acc51e786ac2 [2025/11/13 04:37:45.155470414] [debug] [output:cloudwatch_logs:app-logs-output] Using stream=b5075d48a899473fb8e8acc51e786ac2, group=/ecs/fluentbit-workshop-lab3/app-logs
2025-11-13T04:37:45.159000+00:00 fluent-bit/log-router/b5075d48a899473fb8e8acc51e786ac2 [2025/11/13 04:37:45.155790284] [debug] [output:cloudwatch_logs:app-logs-output] cloudwatch:PutLogEvents: events=1, payload=262280 bytes

New limit

2025-11-13T04:32:20.986000+00:00 fluent-bit/log-router/21e880b6b1774c8e8ec2a6fb6b4679ea [2025/11/13 04:32:20.986187322] [debug] [output:cloudwatch_logs:app-logs-output] Using stream=21e880b6b1774c8e8ec2a6fb6b4679ea, group=/ecs/fluentbit-workshop-lab3/app-logs
2025-11-13T04:32:20.986000+00:00 fluent-bit/log-router/21e880b6b1774c8e8ec2a6fb6b4679ea [2025/11/13 04:32:20.986606024] [debug] [output:cloudwatch_logs:app-logs-output] cloudwatch:PutLogEvents: events=1, payload=1048057 bytes
2025-11-13T04:32:20.986000+00:00 fluent-bit/log-router/21e880b6b1774c8e8ec2a6fb6b4679ea [2025/11/13 04:32:20.986614394] [debug] [output:cloudwatch_logs:app-logs-output] Sending log events to log stream 21e880b6b1774c8e8ec2a6fb6b4679ea

Tested directly against CloudWatch Logs via PutLogEvents to discover that a maximum value of 1,048,546 bytes could be sent without issue. Using 1,000,000 bytes (1MB) gives a safe margin to avoid calculations for the PUT_LOG_EVENTS_PAYLOAD_SIZE which would need reevaluation to support observed max. The encoded max size was also 1,048,586 bytes which is 10 bytes about 1MiB (1,048,576) which makes me worry that depending on an exact max may break over time.

• [WIP] Attached Valgrind output that shows no leaks or memory corruption was found

If this is a change to packaging of containers or native binaries then please confirm it works for all targets.

• [N/A] Run local packaging test showing all targets (including any new ones) build.
• [N/A] Set ok-package-test label to test for all targets (requires maintainer to do).

Documentation

• [N/A] Documentation required for this feature

Backporting

• [N/A] Backport to latest stable release.

---

Fluent Bit is licensed under Apache 2.0, by submitting this pull request I understand that this code will be released under the terms of that license.

Summary by CodeRabbit

• Improvements

  • Increased maximum CloudWatch log event payload size from ~256 KB to 1 MB to permit larger single events.
  • Added a new public constant to control entity prefix length.

• Tests

  • Added end-to-end tests covering events at the size limit, events over the new limit, and truncation edge cases (including backslash handling).

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Note

Other AI code review bot(s) detected

CodeRabbit has detected other AI code review bot(s) in this pull request and will avoid duplicating their findings in the review comments. This may lead to a less comprehensive review.

Walkthrough

Updated CloudWatch Logs public header: increased MAX_EVENT_LEN from 262118 to 1000000, added AWS_ENTITY_PREFIX_LEN = 10, and expanded the documentation comment; added three runtime tests to validate large-event handling and truncation.

Changes

Cohort / File(s)	Summary
CloudWatch API header plugins/out_cloudwatch_logs/cloudwatch_api.h	Increased macro MAX_EVENT_LEN from 262118 to 1000000, added new public macro AWS_ENTITY_PREFIX_LEN = 10, and replaced the short comment with a multi-line explanatory documentation block.
CloudWatch runtime tests tests/runtime/out_cloudwatch.c	Added #include for the CloudWatch API header, new JSON test constants, helper functions create_large_json_message(size_t) and run_cloudwatch_test_with_data(char*, size_t), and three tests: flb_test_cloudwatch_event_size_at_limit, flb_test_cloudwatch_event_size_over_limit, flb_test_cloudwatch_event_truncation_with_backslash. Registered the tests in the test list.

Sequence Diagram(s)

Not applicable — changes are macro/documentation updates and new test cases; no runtime control-flow or component interaction changes to diagram.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

• Pay extra attention to:
  • plugins/out_cloudwatch_logs/cloudwatch_api.h — ensure documentation matches AWS limits and public API expectations.
  • tests/runtime/out_cloudwatch.c — verify large message allocation, truncation logic (especially trailing backslash handling), and test cleanup.
  • Any callers or static buffers that assumed the previous MAX_EVENT_LEN.

Poem

🐰 I nibble bytes beneath the moon,

I stretch a log to a million tune,
I craft the JSON, then trim with care,
Escape the slash that might ensnare,
Hooray — big messages hop right there.

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately and concisely describes the main change: increasing MAX_EVENT_LEN to 1MB with the addition of tests.
Docstring Coverage	✅ Passed	Docstring coverage is 85.71% which is sufficient. The required threshold is 80.00%.

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between f844d36 and 553898e.

📒 Files selected for processing (2)

• plugins/out_cloudwatch_logs/cloudwatch_api.h (2 hunks)
• tests/runtime/out_cloudwatch.c (3 hunks)

🧰 Additional context used

🧠 Learnings (2)

📚 Learning: 2025-10-23T07:43:16.216Z

Learnt from: cosmo0920
Repo: fluent/fluent-bit PR: 11059
File: plugins/in_tail/tail_file.c:1618-1640
Timestamp: 2025-10-23T07:43:16.216Z
Learning: In plugins/in_tail/tail_file.c, when truncate_long_lines is enabled and the buffer is full, the early truncation path uses `lines > 0` as the validation pattern to confirm whether process_content successfully processed content. This is intentional to track occurrences of line processing rather than byte consumption, and consuming bytes based on `processed_bytes > 0` would be overkill for this validation purpose.

Applied to files:

• tests/runtime/out_cloudwatch.c

📚 Learning: 2025-09-04T12:35:22.872Z

Learnt from: shadowshot-x
Repo: fluent/fluent-bit PR: 10825
File: plugins/out_s3/s3.c:1339-1344
Timestamp: 2025-09-04T12:35:22.872Z
Learning: In the Fluent Bit S3 plugin, the user prefers to maintain current retry_limit behavior without special handling for FLB_OUT_RETRY_UNLIMITED (-1), as there's no documentation indicating -1 should be used for infinite retries and consistency with current logic is preferred.

Applied to files:

• plugins/out_cloudwatch_logs/cloudwatch_api.h

🧬 Code graph analysis (1)

tests/runtime/out_cloudwatch.c (3)

plugins/out_s3/s3.c (1)

• setenv (57-60)

src/flb_lib.c (9)

• flb_create (143-225)
• flb_input (266-276)
• flb_input_set (305-335)
• flb_output (279-289)
• flb_output_set (520-551)
• flb_start (983-994)
• flb_lib_push (843-870)
• flb_stop (1011-1055)
• flb_destroy (228-263)

include/fluent-bit/flb_mem.h (1)

• flb_free (126-128)

🔇 Additional comments (11)

plugins/out_cloudwatch_logs/cloudwatch_api.h (3)

23-28: LGTM - Clear distinction between payload and per-event limits.

The updated comment clearly explains the relationship between the total payload buffer size and the conservative per-event cap with safety margin. This addresses previous feedback about distinguishing these two concepts.

---

47-57: LGTM - Well-documented size increase with appropriate safety margin.

The increase to 1,000,000 bytes with ~4.6% safety margin is conservative and well-justified. The detailed comment provides clear rationale, correct calculations, and valuable empirical testing data while maintaining production safety.

---

61-61: LGTM - Correct length constant for AWS entity prefix.

The value 10 correctly matches the length of the "aws_entity" prefix defined on line 60. This makes the length explicit and reusable.

tests/runtime/out_cloudwatch.c (8)

8-10: LGTM - Necessary include for MAX_EVENT_LEN constant.

Including the CloudWatch API header provides access to the MAX_EVENT_LEN constant used in the new test cases.

---

15-17: LGTM - Clean JSON structure constants.

Defining the JSON prefix and suffix as constants improves maintainability and makes the message structure explicit.

---

403-435: LGTM - Solid helper for generating test messages.

The function correctly:

• Validates minimum size requirements
• Allocates and constructs valid JSON structure
• Documents caller responsibility for freeing memory
• Handles errors appropriately

---

437-474: LGTM - Well-structured test helper.

The helper follows standard Fluent Bit test patterns with proper setup, execution, and teardown. The abstraction cleanly supports multiple test scenarios with custom data.

---

476-489: LGTM - Critical boundary test for maximum event size.

This test validates that events exactly at MAX_EVENT_LEN are handled correctly without truncation. Proper memory management with TEST_CHECK assertions.

---

491-504: LGTM - Tests truncation for oversized events.

This test validates that events exceeding MAX_EVENT_LEN are truncated appropriately. Complements the at-limit test to cover both boundary conditions.

---

506-540: LGTM - Thorough test for backslash truncation edge case.

This test correctly addresses previous review feedback:

• Uses valid JSON escape sequences (\\ pairs) instead of lone backslashes
• Explicitly places a backslash escape sequence at the truncation boundary (MAX_EVENT_LEN - 1)
• Validates the plugin's handling of this critical edge case where truncation could leave an incomplete escape sequence

The boundary placement logic and bounds checking are correct.

---

554-556: LGTM - Proper test registration with descriptive names.

The three new tests are correctly registered with clear, descriptive names that indicate their purpose.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

[coderabbitai]

Actionable comments posted: 1

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 7c85150 and ee95b3b.

📒 Files selected for processing (1)

• plugins/out_cloudwatch_logs/cloudwatch_api.h (1 hunks)

🔇 Additional comments (1)

plugins/out_cloudwatch_logs/cloudwatch_api.h (1)

56-56: I'll search the repository directly for the constants to verify the buffer calculations:Based on my verification, here's the rewritten review comment:

MAX_EVENT_LEN increase to 1,000,000 is correct and properly handled.

The increase to 1,000,000 bytes correctly reflects CloudWatch's 2025 update supporting log events up to 1 MB. Verification confirms the buffer logic is sound:

• Individual events are truncated at MAX_EVENT_LEN (cloudwatch_api.c:558-561)
• Payload size is calculated as the sum of all event messages in UTF-8, plus 26 bytes for each log event, and the code conservatively uses 42 bytes per event
• Batch size check (cloudwatch_api.c:891) prevents payloads from exceeding PUT_LOG_EVENTS_PAYLOAD_SIZE
• Maximum single event with overhead: 1,000,000 + 42 = 1,000,042 bytes fits within the 1,048,576-byte batch limit

No buffer sizing issues detected.

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (5)

tests/runtime/out_cloudwatch.c (5)

12-14: Avoid duplicating MAX_EVENT_LEN and keep tests tied to the real limit

Here you reintroduce MAX_EVENT_LEN locally but it’s not used anywhere in this file, and the actual definition already lives in cloudwatch_api.h. That creates a drift risk if the plugin constant changes again.

Consider either:

• Including the CloudWatch API header and using its MAX_EVENT_LEN directly in the tests, or
• Wiring these tests to use this macro (e.g., create_large_json_message(MAX_EVENT_LEN - 1000), constructing “over-limit” payloads as MAX_EVENT_LEN + delta) instead of hard‑coded sizes later in the file.

---

399-430: create_large_json_message is bounds-safe but relies on magic offsets

The allocation and index math look safe (no obvious buffer overruns), but the use of hard-coded values (12 for the prefix offset, 15 for the “overhead” size) makes this helper fragile if the JSON structure ever changes.

You could make this more robust and self-documenting by defining prefix/suffix strings and using strlen for lengths, e.g. const char *prefix = "{\"message\":\""; const char *suffix = "\"}"; and computing offsets from those instead of literal 12/15.

---

432-468: Nice reuse of CloudWatch setup; consider minimal defensive checks

This helper cleanly de-duplicates the common setup/teardown logic and pushes arbitrary JSON payloads via the existing lib input/output harness. Functionally it’s consistent with the rest of the file.

If you want to harden it slightly, you could add a TEST_CHECK(ctx != NULL); after flb_create() to fail fast on allocation/init errors, but that’s in line with (and optional relative to) existing tests.

---

470-498: Use MAX_EVENT_LEN (or AWS max) instead of hard-coded sizes in new large-event tests

Both flb_test_cloudwatch_event_size_near_limit and flb_test_cloudwatch_event_size_at_aws_max currently hard-code 999000 and 1048500 while the file defines MAX_EVENT_LEN and the PR is about aligning with CloudWatch’s updated maximum.

To keep these tests robust against future limit changes and better reflect their intent:

• For the “near limit” test, derive the size from MAX_EVENT_LEN (e.g., MAX_EVENT_LEN - 1000 or similar), rather than 999000 directly.
• For the “AWS max” test, consider either:
  • Using a named constant that documents how it relates to the AWS limit (e.g., AWS_MAX_EVENT_SIZE_APPROX), or
  • Deriving it from MAX_EVENT_LEN plus a clear delta that documents “this should be truncated down to MAX_EVENT_LEN”.

That would remove magic numbers and ensure these tests stay aligned with the semantics they’re meant to cover.

---

500-525: Backslash-boundary test indexing looks correct but could reuse the JSON helper

The manual construction of the backslash-heavy payload appears bounds-safe: the loop limit (i < 999980), the base offset (12), and the subsequent strcpy(large_json + 12 + 999980, "\"}") all fit well within the flb_malloc(1000100) buffer.

To reduce the amount of manual index arithmetic and keep the JSON shape consistent with other tests, you could consider building the bulk of the message via create_large_json_message() and then post-processing the payload (e.g., walking the message body and replacing selected characters with \\) instead of re-encoding `{"message":"..."} by hand here.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 3d7597b and ee654ea.

📒 Files selected for processing (2)

• plugins/out_cloudwatch_logs/cloudwatch_api.h (1 hunks)
• tests/runtime/out_cloudwatch.c (3 hunks)

🚧 Files skipped from review as they are similar to previous changes (1)

• plugins/out_cloudwatch_logs/cloudwatch_api.h

🧰 Additional context used

🧬 Code graph analysis (1)

tests/runtime/out_cloudwatch.c (3)

plugins/out_s3/s3.c (1)

• setenv (57-60)

src/flb_lib.c (9)

• flb_create (143-225)
• flb_input (266-276)
• flb_input_set (305-335)
• flb_output (279-289)
• flb_output_set (520-551)
• flb_start (983-994)
• flb_lib_push (843-870)
• flb_stop (1011-1055)
• flb_destroy (228-263)

include/fluent-bit/flb_mem.h (1)

• flb_free (126-128)

🔇 Additional comments (1)

tests/runtime/out_cloudwatch.c (1)

539-541: Registering new tests in TEST_LIST looks correct

The new tests are properly added to TEST_LIST with descriptive names and the required {NULL, NULL} terminator remains intact. This should integrate cleanly with the existing runtime test harness.

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (1)

tests/runtime/out_cloudwatch.c (1)

403-437: Consider safer string operations and add documentation.

The function is correct but could be improved:

1. strcpy usage (lines 424, 433): Consider using memcpy or strncpy for explicit length control, even though the current usage is safe.

2. Silent size adjustment (lines 414-416): The function silently adjusts target_size if it's too small. Consider returning NULL or documenting this behavior.

3. Missing documentation: Add a comment noting that the caller must free the returned pointer.

Example improvement for the strcpy calls:

-    strcpy(json, TEST_JSON_PREFIX);
+    memcpy(json, TEST_JSON_PREFIX, prefix_len);

-    strcpy(json + prefix_len + data_size, TEST_JSON_SUFFIX);
+    memcpy(json + prefix_len + data_size, TEST_JSON_SUFFIX, suffix_len);

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 3bf4539 and bb01b00.

📒 Files selected for processing (2)

• plugins/out_cloudwatch_logs/cloudwatch_api.h (1 hunks)
• tests/runtime/out_cloudwatch.c (3 hunks)

🧰 Additional context used

🧬 Code graph analysis (1)

tests/runtime/out_cloudwatch.c (3)

plugins/out_s3/s3.c (1)

• setenv (57-60)

src/flb_lib.c (9)

• flb_create (143-225)
• flb_input (266-276)
• flb_input_set (305-335)
• flb_output (279-289)
• flb_output_set (520-551)
• flb_start (983-994)
• flb_lib_push (843-870)
• flb_stop (1011-1055)
• flb_destroy (228-263)

include/fluent-bit/flb_mem.h (1)

• flb_free (126-128)

🔇 Additional comments (7)

plugins/out_cloudwatch_logs/cloudwatch_api.h (2)

46-56: LGTM! Conservative limit with clear documentation.

The 1MB limit with ~4.6% safety margin is a sound approach for production reliability. The comment clearly documents the rationale and empirical testing results.

---

60-60: Good addition for maintainability.

Defining the prefix length as a constant improves code clarity and reduces magic numbers.

tests/runtime/out_cloudwatch.c (5)

8-9: LGTM! Correct header inclusion.

Including the CloudWatch API header provides access to MAX_EVENT_LEN and other constants needed for the new tests.

---

15-17: LGTM! Clear test structure constants.

These constants appropriately define the JSON envelope for constructing test messages.

---

439-476: LGTM! Standard test helper implementation.

The function properly sets up the test environment, handles optional data injection, and ensures cleanup.

---

478-534: LGTM! Comprehensive edge-case coverage.

The three test functions properly exercise large-event handling:

• At-limit events
• Over-limit events requiring truncation
• Backslash handling at truncation boundaries (important for JSON escaping)

Memory management is correct in all tests. The tests follow the existing pattern of integration-style validation without explicit truncation assertions.

Note: The test names in code (event_size_at_limit, event_size_over_limit) differ from those mentioned in the PR objectives (event_size_near_limit, event_size_at_aws_max). The current names are more descriptive and accurate.

---

548-550: LGTM! Proper test registration.

The three new tests are correctly registered in the test suite with names matching their function declarations.

[coderabbitai]

Actionable comments posted: 2

🧹 Nitpick comments (4)

tests/runtime/out_cloudwatch.c (4)

403-438: Large JSON generator is correct; minor optional simplification

The helper correctly:

• enforces a minimum target_size to hold prefix + at least one data byte + suffix,
• allocates target_size + 1 and null‑terminates at json[target_size],
• fills the payload so that strlen(json) == target_size.

If you ever want to shave a few lines, the data fill loop could be replaced with a memset starting at json + prefix_len for data_size bytes, but that’s purely cosmetic in a test helper.

---

440-477: Shared CloudWatch test harness looks consistent with existing patterns

run_cloudwatch_test_with_data mirrors the setup/teardown logic of the earlier tests (env flag, lib input, cloudwatch_logs output, start/push/stop/destroy) and correctly frees resources on the happy path.

Optionally, you could assert on the return value of flb_lib_push to catch immediate push failures, but given the existing tests do not, this is non‑blocking.

---

479-492: Limit-size test correctly drives a MAX_EVENT_LEN‑sized payload through the pipeline

create_large_json_message(MAX_EVENT_LEN) followed by strlen(large_json) ensures the pushed payload is exactly MAX_EVENT_LEN bytes long, which is what the truncation logic should treat as in‑bounds.

The test currently asserts only that setup succeeds and the pipeline runs without crashing, which matches the style of existing runtime tests here. If you later add hooks to inspect the mock AWS backend, this would be a good place to assert that the event was not truncated.

---

494-507: Over-limit test exercises truncation path, though assertions are coarse

Using create_large_json_message(MAX_EVENT_LEN + 1) ensures the input exceeds the per‑event cap and should force the CloudWatch code down the truncation path.

As with the previous test, this currently validates “no crash / no fatal error” rather than inspecting the truncated size. That’s acceptable for a runtime smoke test, but if you later expose the observed payload length from the mock backend, asserting that it equals MAX_EVENT_LEN would make this test much stronger.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between bb01b00 and f844d36.

📒 Files selected for processing (2)

• plugins/out_cloudwatch_logs/cloudwatch_api.h (1 hunks)
• tests/runtime/out_cloudwatch.c (3 hunks)

🧰 Additional context used

🧬 Code graph analysis (1)

tests/runtime/out_cloudwatch.c (3)

plugins/out_s3/s3.c (1)

• setenv (57-60)

src/flb_lib.c (9)

• flb_create (143-225)
• flb_input (266-276)
• flb_input_set (305-335)
• flb_output (279-289)
• flb_output_set (520-551)
• flb_start (983-994)
• flb_lib_push (843-870)
• flb_stop (1011-1055)
• flb_destroy (228-263)

include/fluent-bit/flb_mem.h (1)

• flb_free (126-128)

🔇 Additional comments (2)

tests/runtime/out_cloudwatch.c (2)

8-17: Using shared constants for JSON shape and MAX_EVENT_LEN is a good choice

Including cloudwatch_api.h and defining TEST_JSON_PREFIX/TEST_JSON_SUFFIX keeps the tests aligned with the real CloudWatch event constraints and avoids duplicated magic numbers. No issues here.

---

549-551: New tests are correctly registered in TEST_LIST

The three new test cases are wired into TEST_LIST with clear names matching their purposes, so they will run under the existing runtime test harness without further changes.