Preface

ist-collect is a tool to collect logs, configuration files, and other system data for analysis by Client Services or Engineering as part of a Support ticket. This article will describe how you can inspect the collected data before submission.

Inspection

ist-collect produces a compressed tar archive with the file ending .tar.xz. There are a few ways to inspect this file. I will work with the assumption that you will inspect the file on the machine where it was produced. This means that we can use various tools from the GNU/Linux toolbox for our inspection.

Finding the archive

At the end of an ist-collect execution, it will print a line detailing the location of the archive. In our example, this line looks like this:

# root@master01:~# ist-collect -a -t 123456
[...]
Please attach the file /tmp/ist-123456_2020-04-27T093601Z.tar.xz to ticket 123456.

The file /tmp/ist-123456_2020-04-27T093601Z.tar.xz is what we are looking for.

Archive inspection using Vim

In most cases, I recommend using vim to inspect the file, where it is available. If vim is not already installed, you can install it using the following command:

# yum install vim

After installing vim, simply point vim to your archive. Using the example file above, it would look like this:

# vim /tmp/ist-123456_2020-04-27T093601Z.tar.xz

You will see a long list of files, and at the top of the file [gg] you will read:

tar.vim version v29
" Browsing tarfile /tmp/ist-123456_2020-04-27T093601Z.tar.xz
" Select a file with cursor and press ENTER

ist-123456_2020-04-27T093601Z/
ist-123456_2020-04-27T093601Z/master01/
ist-123456_2020-04-27T093601Z/master01/etc/
ist-123456_2020-04-27T093601Z/master01/etc/cron.d/
[...]

Use the arrow keys, or h, j, k, l to navigate the file and press [ENTER] when you want to inspect a file. As an example, here is what inspecting the sysinfo file looks like:

Sysinfo generated for OP5 by ITRS Support Tool.

================================================================================
$ grep -D skip . /etc/*-release:

/etc/centos-release:CentOS Linux release 7.7.1908 (Core)
/etc/op5-monitor-release:VERSION=8.1.2
[...]

Now you can navigate in this file in the same way. When you have inspected the file, close the buffer with [:q + ENTER] and you will get back to the list of files. When you have inspected all files, do [:q + ENTER] one last time to get back to the shell.

The inspection happens without extracting the file to disk and is very handy to skim the contents of all files. However, it's not possible to edit the files in this way.

Inspecting the archive using tar and less

If vim is not an option for you, the best choice would be to use tar and less to inspect the files.

First, to get a simple list of all files in the archive, do:

# tar tvf /tmp/ist-123456_2020-04-27T093601Z.tar.xz 
drwxr-xr-x root/root 0 2020-04-27 11:39 ist-123456_2020-04-27T093601Z/
drwxr-xr-x root/root 0 2020-04-27 11:36 ist-123456_2020-04-27T093601Z/master01/
drwxr-xr-x root/root 0 2020-04-27 11:36 ist-123456_2020-04-27T093601Z/master01/etc/
drwxr-xr-x root/root 0 2020-04-27 11:36 ist-123456_2020-04-27T093601Z/master01/etc/cron.d/
[...]

This will print all files in the archive without extracting them. Then, if you wish to inspect a single file, do:

# tar xfO <archive-name> <file-name> | less

The O option extracts a file to stdout instead of extracting it to the disk, allowing us to pipe it directly to less.

Note that the filename starts with "ist-123456" in our example. The full command to show the directory-list file for master01 in less:

# tar xfO /tmp/ist-123456_2020-04-27T093601Z.tar.xz ist-123456_2020-04-27T093601Z/master01/directory-list-master01.txt | less

In this way, you can inspect any file in the archive without first having to decompress the whole archive.