sos report --all-logs -a does not gather all the older syslog, kern.log or boot.log files for Ubuntu

[nkshirsagar]

Some testing results

root@xxx:/home/nikhil# cd /var/log
root@xxx:/var/log# ls
alternatives.log        boot.log.7              kern.log.1
alternatives.log.1      bootstrap.log           kern.log.2.gz
alternatives.log.10.gz  btmp                    kern.log.3.gz
alternatives.log.2.gz   btmp.1                  kern.log.4.gz
alternatives.log.3.gz   cups                    lastlog
alternatives.log.4.gz   dist-upgrade            lxc
alternatives.log.5.gz   dmesg                   openvpn
alternatives.log.6.gz   dmesg.0                 private
alternatives.log.7.gz   dmesg.1.gz              speech-dispatcher
alternatives.log.8.gz   dmesg.2.gz              syslog
alternatives.log.9.gz   dmesg.3.gz              syslog.1
apport.log              dmesg.4.gz              syslog.2.gz
apport.log.1            dpkg.log                syslog.3.gz
apport.log.2.gz         dpkg.log.1              syslog.4.gz
apport.log.3.gz         dpkg.log.10.gz          ubuntu-advantage.log
apport.log.4.gz         dpkg.log.2.gz           ubuntu-advantage.log.1
apport.log.5.gz         dpkg.log.3.gz           ubuntu-advantage.log.2.gz
apport.log.6.gz         dpkg.log.4.gz           ubuntu-advantage.log.3.gz
apport.log.7.gz         dpkg.log.5.gz           ubuntu-advantage.log.4.gz
apt                     dpkg.log.6.gz           ubuntu-advantage-timer.log
auth.log                dpkg.log.7.gz           ubuntu-advantage-timer.log.1
auth.log.1              dpkg.log.8.gz           ubuntu-advantage-timer.log.2.gz
auth.log.2.gz           dpkg.log.9.gz           ubuntu-advantage-timer.log.3.gz
auth.log.3.gz           faillog                 ubuntu-advantage-timer.log.4.gz
auth.log.4.gz           fontconfig.log          ubuntu-advantage-timer.log.5.gz
boot.log                gdm3                    ubuntu-advantage-timer.log.6.gz
boot.log.1              gpu-manager.log         unattended-upgrades
boot.log.2              gpu-manager-switch.log  wtmp
boot.log.3              hp                      Xorg.0.log
boot.log.4              installer               Xorg.0.log.old
boot.log.5              journal                 Xorg.1.log
boot.log.6              kern.log                Xorg.1.log.old
root@xxx:/var/log# sos report --all-logs

sosreport (version 4.5.6)

This command will collect system configuration and diagnostic
information from this Ubuntu system.

For more information on Canonical visit:

        Community Website  : https://www.ubuntu.com/
        Commercial Support : https://www.canonical.com

The generated archive may contain data considered sensitive and its
content should be reviewed by the originating organization before being
passed to any third party.

No changes will be made to system configuration.


Press ENTER to continue, or CTRL-C to quit.

Optionally, please enter the case id that you are generating this report for []: 

 Setting up archive ...
 Setting up plugins ...
[plugin:networking] skipped command 'ip -s macsec show': required kmods missing: macsec.   Use '--allow-system-changes' to enable collection.
[plugin:networking] skipped command 'ss -peaonmi': required kmods missing: unix_diag, af_packet_diag, inet_diag, udp_diag, netlink_diag, xsk_diag, tcp_diag.   Use '--allow-system-changes' to enable collection.
 Running plugins. Please wait ...

  Starting 1/72  acpid           [Running: acpid]                                 Starting 2/72  alternatives    [Running: alternatives]                          Starting 4/72  apparmor        [Running: alternatives apparmor]                 Starting 5/72  apport          [Running: alternatives apparmor apport]          Starting 3/72  anacron         [Running: alternatives apparmor apport anacron]  Starting 6/72  apt             [Running: alternatives apparmor apport apt]      Starting 7/72  ata             [Running: alternatives apparmor apt ata]         Starting 8/72  block           [Running: alternatives apt ata block]     Finishing plugins              [Running: logs]                                          tarting 10/72 cgroups         [Running: apt block boot cgroups]                        
  Finished running plugins                                                               
Creating compressed archive...

Your sosreport has been generated and saved in:
	/tmp/sosreport-xxx-2023-10-25-gjznbex.tar.xz

 Size	200.85MiB
 Owner	root
 sha256	7d837981dcafc83cce10bc00337ef0c533c7cc4300d279ca9a03e0192fa4b851

Please send this file to your support representative.

root@xxx:/var/log# cd /tmp
root@xxx:/tmp# tar -xf /tmp/sosreport-xxx-2023-10-25-gjznbex.tar.xz
root@xxx:/tmp# cd /tmp/sosreport-xxx-2023-10-25-gjznbex
root@xxx:/tmp/sosreport-xxx-2023-10-25-gjznbex# ls
boot  df         environment  free      installed-debs   ip_addr   last  lsb-release  lsof   mount  proc  pstree         run           sos_logs     sys    uptime  var          vgdisplay
date  dmidecode  etc          hostname  installed-snaps  ip_route  lib   lsmod        lspci  opt    ps    root-symlinks  sos_commands  sos_reports  uname  usr     version.txt
root@xxx:/tmp/sosreport-xxx-2023-10-25-gjznbex# cat ^C
root@xxx:/tmp/sosreport-xxx-2023-10-25-gjznbex# cd var/log/
root@xxx:/tmp/sosreport-xxx-2023-10-25-gjznbex/var/log# ls
alternatives.log        alternatives.log.6.gz  apport.log.3.gz  boot.log        dpkg.log.2.gz  dpkg.log.9.gz           ubuntu-advantage.log.2.gz        ubuntu-advantage-timer.log.4.gz  Xorg.1.log.old
alternatives.log.1      alternatives.log.7.gz  apport.log.4.gz  cups            dpkg.log.3.gz  installer               ubuntu-advantage.log.3.gz        ubuntu-advantage-timer.log.5.gz
alternatives.log.10.gz  alternatives.log.8.gz  apport.log.5.gz  dist-upgrade    dpkg.log.4.gz  journal                 ubuntu-advantage.log.4.gz        ubuntu-advantage-timer.log.6.gz
alternatives.log.2.gz   alternatives.log.9.gz  apport.log.6.gz  dmesg           dpkg.log.5.gz  kern.log                ubuntu-advantage-timer.log       unattended-upgrades
alternatives.log.3.gz   apport.log             apport.log.7.gz  dpkg.log        dpkg.log.6.gz  syslog                  ubuntu-advantage-timer.log.1     Xorg.0.log
alternatives.log.4.gz   apport.log.1           apt              dpkg.log.1      dpkg.log.7.gz  ubuntu-advantage.log    ubuntu-advantage-timer.log.2.gz  Xorg.0.log.old
alternatives.log.5.gz   apport.log.2.gz        auth.log         dpkg.log.10.gz  dpkg.log.8.gz  ubuntu-advantage.log.1  ubuntu-advantage-timer.log.3.gz  Xorg.1.log
root@xxx:/tmp/sosreport-xxx-2023-10-25-gjznbex/var/log#

[nkshirsagar]

I think there are some cases where the information being logged to syslog isnt in the journal, but 8c2b07a does not consider this situation. So the --all-logs command becomes misleading because it does not actually gather all-logs from the logs plugin - https://github.com/sosreport/sos/blob/main/sos/report/plugins/logs.py#L65 when it detects the journal service

        else:  # If not using journal
            if not self.get_option("all_logs"):
                self.add_copy_spec([
                    "/var/log/syslog",
                    "/var/log/syslog.1",
                    "/var/log/syslog.2*",
                    "/var/log/kern.log",
                    "/var/log/kern.log.1",
                    "/var/log/kern.log.2*",
                    "/var/log/auth.log",
                    "/var/log/auth.log.1",
                    "/var/log/auth.log.2*",
                ])
            else:
                self.add_copy_spec([
                    "/var/log/syslog*",
                    "/var/log/kern.log*",
                    "/var/log/auth.log*",
                ])

[pmoravec]

I guess you complain that /var/log/auth.log.* files were not collected (which they should, per the a_s_c) or boot.log.* (see

sos/sos/report/plugins/logs.py

Line 48 in ab36ea6

"/var/log/boot.log",

) but you dont complain files/dirs like speech-dispatcher or private were ignored?

I expect the

sos/sos/report/plugins/logs.py

Line 44 in ab36ea6

self.add_copy_spec([

needs to have --all-logs variant. And I would need to have debug sos logs to understand why it skipped collecting auth.log.* files.

[nkshirsagar]

I think the auth.log.* files are not collected because this else isnt true -

sos/sos/report/plugins/logs.py

Line 77 in ab36ea6

else: # If not using journal

I'd initially opened this issue because I felt --all-logs should collect all the compressed .1.gz files for syslog, boot logs and kern.log too, but I see the code's point that the journal should have it all. There's been some reports of journal logs not containing the logs the syslog has, @desrod reported such instances. I also feel its better (intuitively) that all-logs does in fact collect all the logs in /var/log, maybe at the risk of duplicity in that those logs may also exist in the journal.

As for the auth.log.* files, we'd need to add collecting them to https://github.com/sosreport/sos/blob/ab36ea641f6c2145ef8a52dcb3e70abb5ee8e9b9/sos/report/plugins/logs.py#L44C1-L54C11 I guess? And as for --all-logs, for the journal case, yes I agree we need to consider --all-logs even in the first part of the if, i.e here -

sos/sos/report/plugins/logs.py

Line 65 in ab36ea6

if journal and self.is_service("systemd-journald"):

, maybe move the part collecting the default stuff into the if loop, WDYT?

[nkshirsagar]

Looking closer, if we are assuming journal logs will capture everything meant for syslog, auth.log and messages, then the only thing to do in this PR is to add auth.log collection for the default collections before the if loops.

I will send a MR for this in a bit.

If we decide syslog and indeed even kern.log have logs that do not somehow make it into the journal then we will revisit this one, tagging @desrod for awareness.