Shell script to extract required files in case of an osquery related issue on linux endpoint

Shell script to extract required files in case of an osquery related issue on linux endpoint

If any issue occurs on an endpoint because of osquery and if we need to collect all the required logs at one go or using one single script/command to not miss any information, please refer to the below: 
  1. Please run the above command on the endpoint which creates a zip file with all the osquery, syslogs, coredump, dmesg logs from a linux machine:
    1. tar -czf backup_logs.tar.gz /var/log/osquery/osquery* /var/log/messages* /var/lib/systemd/coredump /var/log/dmesg /var/crash
    2. Additionally you can also run the shell script, which also creates a ".tar.gz" backup file containing all the required logs:
      1. #!/bin/bash

        # Defining paths for osquery, syslogs, kernellogs 
        ARCHIVE_NAME="backup_logs.tar.gz"
        TEMP_DIR="/tmp/backup_logs"
        OSQUERY_LOGS_DIR="/var/log/osquery"
        SYSLOGS_FILE="/var/log/messages"
        CORE_DUMP_DIR="/var/lib/systemd/coredump"
        DMESG_FILE="/var/log/dmesg"

        mkdir -p "$TEMP_DIR"


        if ls "$OSQUERY_LOGS_DIR/osquery"* 1> /dev/null 2>&1; then
          cp "$OSQUERY_LOGS_DIR/osquery"* "$TEMP_DIR/"
        else
          echo "No osquery logs found."
        fi

        if [ -f "$SYSLOGS_FILE" ]; then
          cp "$SYSLOGS_FILE" "$TEMP_DIR/"
        else
          echo "Syslogs file not found."
        fi

        if [ -d "$CORE_DUMP_DIR" ]; then
          cp -r "$CORE_DUMP_DIR" "$TEMP_DIR/"
        else
          echo "Core dumps directory not found."
        fi

        if [ -f "$DMESG_FILE" ]; then
          cp "$DMESG_FILE" "$TEMP_DIR/"
        else
          echo "Dmesg file not found."
        fi

        tar -czf "$ARCHIVE_NAME" -C "$TEMP_DIR" .

        rm -rf "$TEMP_DIR"

        echo "Backup completed: $ARCHIVE_NAME"

                        Including the same script as an attachment