Did you know about sos command?

Source: Dev.to

Overview

The Linux sos command is included in most distributions. In about 53 seconds it creates a compressed and encrypted tar file (a sosreport) that is typically under 15 MB. The archive contains:

• Over 10 000 text files
• System logs
• Output from more than 500 diagnostic commands
• More than 1 800 configuration files

The resulting file can be transferred to a secure server for analysis by your team—or even by an AI—making it easy to integrate into existing CI/CD pipelines.

Benefits

• Rapid diagnostics – All necessary information is gathered in under a minute, without opening a persistent server session.
• Security – The compressed tar is encrypted, reducing exposure while still providing comprehensive data.
• Collaboration – Multiple teams (SRE, NetTeam, DBA, DevOps, SecOps, QA, etc.) can analyze the same report simultaneously.
• Root‑cause analysis – Quickly detect problems, perform RCA, inventory hardware/software, review security settings, and measure performance.
• Historical comparison – Keeping a history of sosreports per server lets you compare snapshots over time to spot configuration drift or hardware changes.

sosreport

A sosreport is the encrypted tar archive produced by the sos command. By maintaining a series of these reports for each server, you can:

• Identify discrepancies in behavior or configuration.
• Track changes across deployments.
• Keep an inventory of hardware and software components.

What sos is not

sos is not a monitoring system or a SIEM. It is a diagnostic tool that captures a snapshot of system state for offline analysis. It does not provide continuous monitoring or alerting capabilities.

Further reading

• Blog post about the sos command:
• sos‑vault solution (archiving, managing, and analyzing sosreports, with upcoming LLM integration):