02. How to execute sos Report Command? Written on . Posted in sos command.
NOTE: The following description is based in the sos command version 4.5.6 executed in an Ubuntu 20.04 server (hostname ganymede)
The sos report command gathers system diagnostics for troubleshooting. The following are basic examples of how to run the sos command to emphasize the usage of the --clean, --encrypt-pass , --case-id and --label options. As per the sos command manual page:
- --encrypt: Encrypt the resulting archive, and determine the method by which that encryption is done by either a user prompt or environment variables.
- --encrypt-pass: Encrypts the resulting archive that sosreport produces using GPG. The provided PASS for symmetric encryption
- --clean: This function is designed to obfuscate potentially sensitive information from an sos report archive in a consistent and reproducible manner.
- --label LABEL: Specify an arbitrary identifier to associate with the archive. Labels will be appended after the system's short hostname and may contain alphanumeric characters.
- --case-id NUMBER: Specify a case identifier to associate with the archive. Identifiers may include alphanumeric characters, commas and periods ('.').
Running an sos report is straightforward, the simplest way to execute it is through a single command:
1. sudo sos report
When you run sos report without any extra options, it will ask for a case id this report is for in this example we used SUPP-0001 as case id and after a few seconds It will generate an output like this:
Finishing plugins [Running: logs]
Finished running plugins
Creating compressed archive...
Your sosreport has been generated and saved in:
/tmp/sosreport-ganymede-SUPP-0001-2024-10-01-xgsjkdb.tar.xz
Size 11.87MiB
Owner root
sha256 de66aa92c59f179af7ce0906056a58e8360772b56bbcbaed2f935bc9c009ee75
Please send this file to your support representative.
The command generated an 11.87 MiB compressed tar file inside the /tmp directory. The name of the tar file is sosreport-ganymede-SUPP-0001-2024-10-01-xgsjkdb.tar.xz (sosreport-HOSTNAME-CASE-ID-DATE-ID.tar.xz). Also note that the file sha256 checksum is provided for integrity verification after upload.
To generate a report while ensuring obfuscation for sensitive information such as hostnames or IP addresses, the following command can be used:
2. sudo sos report --clean
The --clean option, is designed to obfuscate potentially sensitive information from an sos report archive in a consistent and reproducible manner. When you run sos with this option, it will ask for a case id as before and after a several minutes It will generate an output like this:
Finishing plugins [Running: logs]
Finished running plugins
Found 1 total reports to obfuscate, processing up to 4 concurrently
sosreport-ganymede-SUPP-0001-2024-10-01-euofqva : Beginning obfuscation...
sosreport-ganymede-SUPP-0001-2024-10-01-euofqva : Obfuscation completed [removed 88 unprocessable files]
Successfully obfuscated 1 report(s)
Creating compressed archive...
A mapping of obfuscated elements is available at
/tmp/sosreport-host0-SUPP-0001-2024-10-01-euofqva-private_map
Your sosreport has been generated and saved in:
/tmp/sosreport-host0-SUPP-0001-2024-10-01-euofqva-obfuscated.tar.xz
Size 11.14MiB
Owner root
sha256 3d8c1efa5f4b241469a32b4807d3210d58fb971731d785e13501257c468105ee
Please send this file to your support representative.
The command generated an 11.87 MiB compressed tar file and took almost 10 minutes to finish. Notice how the name of the file no longer contains the hostname but host0 instead. The name of the tar file is now sosreport-host0-SUPP-0001-2024-10-01-euofqva-obfuscated.tar.xz (sosreport-HOSTNAME-CASE-ID-DATE-ID.obfuscated.tar.xz). Also note that the file sha256 checksum is provided for integrity verification after upload.
To generate an encrypted report the following command can be used:
3. sudo sos report --encrypt-pass "aPassword"
The --encrypt-pass option encrypts the resulting archive with GPG using the provided password for symmetric encryption. When you run sos report with the --encrypt-pass option, it will ask for a case id this report is for in this example we used SUPP-0001 as case id and after a few seconds It will generate an output like this:
Finishing plugins [Running: logs]
Finished running plugins
Creating compressed archive...
Your sosreport has been generated and saved in:
/tmp/secured-sosreport-ganymede-SUPP-0001-2024-10-01-plyzuet.tar.xz.gpg
Size 11.90MiB
Owner root
sha256 01bd4e339e6823235c36f6ef044d0d60e0243d80bda65f333fca31ce2dd8e894
Please send this file to your support representative.
The command generated an 11.90 MiB encrypted and compressed tar file and took just a few seconds to finish. Notice how the file extension change to gpg indicating that this is a GNU Privacy Guard encrypted file. The name of the tar file is now secured-sosreport-ganymede-SUPP-0001-2024-10-01-plyzuet.tar.xz.gpg (secured-sosreport-HOSTNAME-CASE-ID-DATE-ID.tar.xz.gpg).
Also note that the file sha256 checksum is provided for integrity verification after upload.
The following is an example of both an ecrypted and obfuscated report:
4. sudo sos report --encrypt-pass "aPassword" --clean --case-id SUPP-0001 --label "a label"
It is possible to specify a label for the final file name with the --label option. Note that in this example, it will not ask for a case id this time as we specified it in the command line with the --case-id option and after several minutes (because we used the clean option) seconds It will generate an output like this:
Finishing plugins [Running: logs]
Finished running plugins
Found 1 total reports to obfuscate, processing up to 4 concurrently
sosreport-ganymede-alabel-SUPP-0001-2024-10-01-iwormbj : Beginning obfuscation...
sosreport-ganymede-alabel-SUPP-0001-2024-10-01-iwormbj : Obfuscation completed [removed 88 unprocessable files]
Successfully obfuscated 1 report(s)
Creating compressed archive...
A mapping of obfuscated elements is available at
/tmp/sosreport-host0-alabel-SUPP-0001-2024-10-01-iwormbj-private_map
Your sosreport has been generated and saved in:
/tmp/secured-sosreport-host0-alabel-SUPP-0001-2024-10-01-iwormbj-obfuscated.tar.xz.gpg
Size 11.20MiB
Owner root
sha256 743902e923340381d5d559b90bdbf336a4d5e98701d19c233006e7825a9298ec
Please send this file to your support representative.
The command generated an 11.20 MiB encrypted and compressed tar file. Notice how the file contains the label with all spaces removed. The name of the tar file is now secured-sosreport-host0-alabel-SUPP-0001-2024-10-01-iwormbj-obfuscated.tar.xz.gpg (secured-sosreport-HOSTNAME-LABEL-CASE-ID-DATE-ID.obfuscated.tar.xz.gpg).
In any of the examples above, a tar file is generated and to review its contents it is necessary to extract it in the computer where the analysis is goint to be performed and if required provide the decryption password. In our next articles we will explore how to explore and analyse a sos report.
5. sos.conf
If You don’t want to have to remember all those command line options, You can configure all the command line options neede in the
/etc/sos/sos.conf file, and then just run sos report. Here’s an example:$ egrep -v "^#|^$" /etc/sos/sos.conf [global] batch = yes [report] enable-plugins = sar all-logs = yes [collect] [clean] keywords = SecretApp [plugin_options] sar.all_sar=on
Conclusion
sosreport offers a wide range of options that make it a powerful tool for system diagnostics and support. From collecting logs and configuration files to running plugin-based checks across major subsystems, its flexibility makes it ideal for troubleshooting complex issues. Whether you're generating a standard report, limiting data collection to specific plugins, or running it in batch mode, there’s likely a set of options that fits your workflow. Don’t hesitate to explore commands like --only-plugins, --log-level, or --batch to tailor reports to your needs—you’ll be surprised how much useful information you can uncover.