First character of message truncated
Subject: First character of message truncated
We are the makers of Sawmill, a log analysis program that reads Kiwi logs. We've worked closely with you in the past to support your formats, and indeed, one of your formats is called Sawmill/ISO format because of our collaboration on it.
I'm writing to report what I believe is a bug in Kiwi, though I'm afraid I don't have really good information about it. I have repeatedly seen log data generated by Kiwi, usually (always) on Asian-language systems, where the first character of the syslog message is missing. Here's an example:
2009-05-25 14:27:49 Mail.Info 210.69.13.154 endmail[11528]: n4P6RohJ011528: from=, size=152535, class=0, nrcpts=1, msgid=, proto=ESMTP, daemon=MTA, relay=localhost [127.0.0.1]
2009-05-25 14:27:54 Mail.Info 210.69.13.154 endmail[11541]: n4P6RrF7011537: to=, delay=00:00:01, xdelay=00:00:00, mailer=smtp, pri=1143727, relay=[210.69.13.136] [210.69.13.136], dsn=2.0.0, stat=Sent (OK: )
This is sendmail log data, so the syslog message should start with "sendmail", but as you can see, it starts with "endmail". I have seen this at least five times, including log data where the leading month is "an" instead of "Jan". This causes serious problems for our log recognition and parsing--Sawmill doesn't recognize this as sendmail logs because it assumes that sendmail logs will contain "sendmail", and this data doesn't.
I filled in all your support form fields here, but they're all invented, because I don't know the details of the customer's system. I don't know what OS they're using or which version of Kiwi. I'm not even sure they're using Kiwi, but the syslog header looks like yours.
Again, I think I've only seen this on systems from ASIA, so I suspect it has to do with multibyte characters, Unicode, etc., and does not affect US installations.
Have you seen this before? If it's known and fixed, which version is it fixed in? If it's not known, I can get you more information about it.<
