Preface

ist-collect is a tool to collect logs, configuration files, and other system data for analysis by Client Services or Engineering as part of a Support ticket. This article will describe how you can inspect the collected data before submission.

Inspection

ist-collect produces a compressed tar archive with the file ending .tar.xz. There are a few ways to inspect this file. I will work with the assumption that file inspection will be done on the machine where it was produced. This means that we can use various tools from the GNU/Linux toolbox for our inspection.

Finding the archive

At the end of an ist-collect execution a line will be printed detailing the location of the archive. In our example, this line looks like this:

# root@master01:~# ist-collect -a -t 123456
[...]
Please attach the file /tmp/ist-123456_2020-04-27T093601Z.tar.xz to ticket 123456.

The file /tmp/ist-123456_2020-04-27T093601Z.tar.xz is what we are looking for.

Archive inspection using Vim

In most cases, I recommend using vim to inspect the file, where it is available. vim is not installed by default but can be installed with the following:

# yum install vim

After installing vim, simply point vim to your archive. Using the example file above it would look like this:

# vim /tmp/ist-123456_2020-04-27T093601Z.tar.xz

You will see a long list of files, and at the top of the file [gg] you will read:

tar.vim version v29
" Browsing tarfile /tmp/ist-123456_2020-04-27T093601Z.tar.xz
" Select a file with cursor and press ENTER

ist-123456_2020-04-27T093601Z/
ist-123456_2020-04-27T093601Z/master01/
ist-123456_2020-04-27T093601Z/master01/etc/
ist-123456_2020-04-27T093601Z/master01/etc/cron.d/
[...]

Use the arrow keys, or h, j, k, l to navigate the file and press [ENTER] when you want to inspect a file. As an example, here is what inspecting the sysinfo file looks like:

Sysinfo generated for OP5 by ITRS Support Tool.

================================================================================
$ grep -D skip . /etc/*-release:

/etc/centos-release:CentOS Linux release 7.7.1908 (Core)
/etc/op5-monitor-release:VERSION=8.1.2
[...]

Now you can navigate in this file in the same way. When you are done inspecting the file, close the buffer with [:q + ENTER] and you will get back to the list of files. When you are done inspecting all files, do [:q + ENTER] one last time to get back to the shell.

All of the inspection happens without extracting the file to disk and is very handy to quickly read the contents of all files. However, it's not possible to edit the files in this way.

Inspecting the archive using tar and less

If vim is not an option for you, the best choice would be to use tar and less to inspect the files.

First, to get a simple list of all files in the archive, do:

# tar tvf /tmp/ist-123456_2020-04-27T093601Z.tar.xz 
drwxr-xr-x root/root 0 2020-04-27 11:39 ist-123456_2020-04-27T093601Z/
drwxr-xr-x root/root 0 2020-04-27 11:36 ist-123456_2020-04-27T093601Z/master01/
drwxr-xr-x root/root 0 2020-04-27 11:36 ist-123456_2020-04-27T093601Z/master01/etc/
drwxr-xr-x root/root 0 2020-04-27 11:36 ist-123456_2020-04-27T093601Z/master01/etc/cron.d/
[...]

This will print all files contained in the archive without extracting it. Then, if you wish to inspect a single file, do the following:

# tar xfO <archive-name> <file-name> | less

The O option extracts a file to stdout instead of extracting it to disk, allowing us to pipe it directly to less.

Note that the filename starts with "ist-123456" in our example. The full command to show the directory-list file for master01 in less:

# tar xfO /tmp/ist-123456_2020-04-27T093601Z.tar.xz ist-123456_2020-04-27T093601Z/master01/directory-list-master01.txt | less

In this way, you can inspect any file in the archive without first having to decompress the whole archive.