Loading...

VONDS ©

Lab 51: Generating a System SOS Report

Back to Lab Index

Generate a complete system diagnostic bundle using sosreport so performance issues can be analyzed off-host without guesswork. Verify the resulting archive exists in the expected location and inspect its contents safely without extracting.

troubleshooting core

Scenario

You are a support engineer at a data center. A customer reports serious performance issues, and your manager asks you to generate a full SOS report for offline analysis. Your job is to install the required tooling, produce the archive, confirm where it was saved, and validate what it contains.

Operator context

A sosreport is often the fastest way to provide consistent, vendor-friendly evidence for escalation. Generate it early, before making risky changes that could destroy useful state.

Objective

  • Install the SOS tooling package.
  • Generate a sosreport archive as root.
  • Verify the archive exists in /var/tmp.
  • Inspect archive contents without extracting.

Concepts

  • sosreport collects system state and configuration into a single archive for escalation and offline analysis.
  • The archive can include sensitive data (hostnames, logs, config). Treat it like production evidence and share it only through approved channels.
  • You can validate the archive without extracting by listing its contents with tar -tf.
  • Generate the report before heavy troubleshooting changes so you capture the original failure state.

What You’ll Practice

  • Installing diagnostic tooling with dnf / yum.
  • Creating a standardized support bundle using sosreport.
  • Verifying output artifacts and locations using ls.
  • Listing archive contents safely using tar -tf.

Walkthrough

Step 1 : Install the sosreport package.
Command 
sudo dnf install -y sos
# OR
sudo yum install -y sos

The sos package provides sosreport, which collects system configuration and diagnostic data into a single archive. On RHEL-family systems, you typically install it using dnf (or yum on older workflows). 

Complete!
Step 2 : Generate the sosreport archive.
Command 
sudo sosreport

Running sosreport as root allows it to collect the system-wide information support teams need. The tool may prompt for an identifying name and a case ID so the archive can be associated with a ticket. 

sosreport (version 4.5)
This utility will collect diagnostic and support data from this system.
Press ENTER to continue, or CTRL-C to quit.

Please enter the case id that you are generating this report for []: 123456
Setting up archive ...
Setting up plugins ...
Running plugins. Please wait ...

Finished running plugins.

Your sosreport has been generated and saved in:
  /var/tmp/sosreport-labuser-123456.tar.xz

The checksum is:
  sha256: 111122223333444455556666777788889999aaaabbbbccccddddeeeeffff0000
Step 3 : Verify the report exists in the expected location.
Command 
ls -lh /var/tmp | grep sosreport

In many environments, sosreport writes the archive to /var/tmp. Confirm the artifact exists before attempting to transfer it or attach it to a case. 

-rw------- 1 root root 18M Jul 22 01:28 sosreport-labuser-123456.tar.xz
Step 4 : List files inside the archive (non-destructive).
Command 
tar -tf /var/tmp/sosreport-labuser-123456.tar.xz | head

tar -tf lists archive contents without extracting. This is the safe way to validate that the report contains expected categories of evidence before you hand it off for analysis. 

sosreport-labuser-123456/
sosreport-labuser-123456/sos_commands/
sosreport-labuser-123456/sos_commands/general/
sosreport-labuser-123456/sos_commands/general/hostnamectl
sosreport-labuser-123456/etc/
sosreport-labuser-123456/etc/hostname
sosreport-labuser-123456/etc/hosts
sosreport-labuser-123456/var/
sosreport-labuser-123456/var/log/
sosreport-labuser-123456/var/log/messages
Step 5 : Record the checksum for transfer validation.
Command 
sha256sum /var/tmp/sosreport-labuser-123456.tar.xz

When you upload the archive to a support portal or move it to another host, a checksum lets you confirm the file arrived intact without corruption. 

111122223333444455556666777788889999aaaabbbbccccddddeeeeffff0000  /var/tmp/sosreport-labuser-123456.tar.xz

Common breakpoints

sosreport not found after install

Confirm the package name and PATH. On some systems the package may be sos but the binary is /usr/sbin/sosreport. Verify with rpm -q sos and command -v sosreport.

Archive not created in /var/tmp

Read the final output line from sosreport. It prints the exact archive path. Some environments override the destination.

Sensitive data concerns

Treat the archive like production evidence. If you must share it externally, follow your org’s redaction and approval process first.

Cleanup checklist

  • Optional: remove the generated archive after transfer and confirmation.
Command 
sudo rm -f /var/tmp/sosreport-labuser-123456.tar.xz

Reference

  • dnf install -y sos: installs the sos package (provides sosreport).
    • -y: automatically answers “yes”
  • yum install -y sos: legacy workflow to install sos.
    • -y: automatically answers “yes”
  • sosreport: generates a diagnostic archive for support analysis.
  • ls -lh /var/tmp: confirms the archive exists and shows permissions/size.
  • tar -tf /var/tmp/<archive>.tar.xz: lists archive contents without extracting.
    • -t: list contents
    • -f: read from the specified file
  • sha256sum /var/tmp/<archive>.tar.xz: produces a checksum for transfer validation.