What Data is Collected in an sosreport on Rocky Linux
Introduction
The sosreport
tool is a key utility used by system administrators and support teams to collect comprehensive diagnostic information from a Rocky Linux system.
When the sos
command is run, an sosreport
is generated and gathers configuration details, system logs, and state information in a structured, compressed archive.
This allows a support team to troubleshoot a problem system with detailed logs, without needing the user to manually run multiple commands in order to achieve the same level of log collection.
An sosreport
can potentially collect a lot of sensitive information about a system and thus knowing what information an sosreport
gathers, can ease concerns of system administrators when running the sos
tool.
Problem
A Rocky Linux node runs into an issue and needs further in-depth analysis by a 3rd party.
Resolution
To clarify what an sosreport
collects, below is a detailed layout:
Hardware information
-
DMI tables (
dmidecode
) -
PCI device tree (
lspci
) -
Loaded kernel modules (
lsmod
) -
CPU/Memory statistics (
free
,numa
,/proc/cpuinfo
) -
BIOS and firmware configs from
/boot
Kernel and system state
-
GRUB configuration (
/boot/efi
) -
Uptime, load, and system identity (
uname
,hostname
,uptime
) -
Kernel logs (
dmesg
) -
System journal snapshots (
journalctl_--no-pager
)
Storage and filesystem
-
Mounted filesystems (
mount
,df
) -
LVM information (
vgdisplay
,/etc/lvm
) -
Disk usage and I/O statistics (
/var/log/sar
if thesysstat
package is installed and configured) -
/etc/fstab
andautofs
configs
Network configuration
-
IP address and routing tables (
ip addr
,ip route
) -
Network interfaces, drivers, and statistics (
ethtool
) -
firewalld
andnftables/iptables
configs -
Snapshots of
/etc/NetworkManager
,resolv.conf
,nsswitch.conf
Services and daemons
-
Enabled systemd units and logs (
systemctl
, journal slices) -
Service-specific config directories (
sssd
,postfix
,cups
) -
Init scripts and legacy SysV information
Authentication and security
-
PAM configurations (
/etc/pam.d
) -
sudoers
file,sshd_config
, SELinux policy state (sestatus
) -
Audit rules and logs (
/etc/audit
)
Logging configuration and data
-
rsyslog and journald config (
rsyslog.conf
,journald.conf
) -
Rotated logs config (
/etc/logrotate.d/
) -
Current and previous logs from
/var/log
(depending on iflogrotate
is setup)
Package management
-
Installed RPMs and installation times (
rpm -qa
) -
Repo configs (
/etc/yum.repos.d
,/etc/dnf
)
Process and system usage
-
Running processes (
ps
,pstree
) -
Open files (
lsof
) -
Resource limits and environment variables
Configuration files
-
Entire
/etc
tree including symlinked files -
Configuration fragments in
/etc/sysconfig
,/etc/modprobe.d
,/etc/security
, etc
Sosreport plugins and logs
-
sos_commands
contains outputs of all CLI commands executed -
sos_logs
for plugin-level logging -
sos.conf
,groups.d
,presets.d
reflects plugins used
Recommendations for environments containing sensitive data
For environments that handle sensitive data, it is recommended to obfuscate the data before the sosreport
leaves the premises. Please see
Generating sosreports on Rocky Linux under Obfuscating an sosreport
for more information on how to obfuscate sensitive data in an sosreport
.
Root cause
Concerns about the data that sosreport
collects in environments where sensitive data needs to be handled with care.
Notes
sosreport
should be run as root to ensure complete data collection.
Custom plugins or group selections can limit what is captured.
Data collection of an sosreport
may be expanded or reduced via /etc/sos/sos.conf
or CLI flags such as --only-plugins
.