ArticlesRocky Linux

What Data is Collected in an sosreport on Rocky Linux

Introduction

The sosreport tool is a key utility used by system administrators and support teams to collect comprehensive diagnostic information from a Rocky Linux system.

When the sos command is run, an sosreport is generated and gathers configuration details, system logs, and state information in a structured, compressed archive.

This allows a support team to troubleshoot a problem system with detailed logs, without needing the user to manually run multiple commands in order to achieve the same level of log collection.

An sosreport can potentially collect a lot of sensitive information about a system and thus knowing what information an sosreport gathers, can ease concerns of system administrators when running the sos tool.

Problem

A Rocky Linux node runs into an issue and needs further in-depth analysis by a 3rd party.

Resolution

To clarify what an sosreport collects, below is a detailed layout:

Hardware information

  • DMI tables (dmidecode)

  • PCI device tree (lspci)

  • Loaded kernel modules (lsmod)

  • CPU/Memory statistics (free, numa, /proc/cpuinfo)

  • BIOS and firmware configs from /boot

Kernel and system state

  • GRUB configuration (/boot/efi)

  • Uptime, load, and system identity (uname, hostname, uptime)

  • Kernel logs (dmesg)

  • System journal snapshots (journalctl_--no-pager)

Storage and filesystem

  • Mounted filesystems (mount, df)

  • LVM information (vgdisplay, /etc/lvm)

  • Disk usage and I/O statistics (/var/log/sar if the sysstat package is installed and configured)

  • /etc/fstab and autofs configs

Network configuration

  • IP address and routing tables (ip addr, ip route)

  • Network interfaces, drivers, and statistics (ethtool)

  • firewalld and nftables/iptables configs

  • Snapshots of /etc/NetworkManager, resolv.conf, nsswitch.conf

Services and daemons

  • Enabled systemd units and logs (systemctl, journal slices)

  • Service-specific config directories (sssd, postfix, cups)

  • Init scripts and legacy SysV information

Authentication and security

  • PAM configurations (/etc/pam.d)

  • sudoers file, sshd_config, SELinux policy state (sestatus)

  • Audit rules and logs (/etc/audit)

Logging configuration and data

  • rsyslog and journald config (rsyslog.conf, journald.conf)

  • Rotated logs config (/etc/logrotate.d/)

  • Current and previous logs from /var/log (depending on if logrotate is setup)

Package management

  • Installed RPMs and installation times (rpm -qa)

  • Repo configs (/etc/yum.repos.d, /etc/dnf)

Process and system usage

  • Running processes (ps, pstree)

  • Open files (lsof)

  • Resource limits and environment variables

Configuration files

  • Entire /etc tree including symlinked files

  • Configuration fragments in /etc/sysconfig, /etc/modprobe.d, /etc/security, etc

Sosreport plugins and logs

  • sos_commands contains outputs of all CLI commands executed

  • sos_logs for plugin-level logging

  • sos.conf, groups.d, presets.d reflects plugins used

Recommendations for environments containing sensitive data

For environments that handle sensitive data, it is recommended to obfuscate the data before the sosreport leaves the premises. Please see Generating sosreports on Rocky Linux under Obfuscating an sosreport for more information on how to obfuscate sensitive data in an sosreport.

Root cause

Concerns about the data that sosreport collects in environments where sensitive data needs to be handled with care.

Notes

sosreport should be run as root to ensure complete data collection.

Custom plugins or group selections can limit what is captured.

Data collection of an sosreport may be expanded or reduced via /etc/sos/sos.conf or CLI flags such as --only-plugins.

References & related articles

sosreport Source Code