This section lists the specific options you can use with the SoS utility.

For information about collecting log files using the SoS utility, see Collect Logs for Your VMware Cloud Foundation System.

SoS Utility Help Options

Use these options to see information about the SoS utility itself. For these options, SSH in to the SDDC Manager VM using the vcf user account and enter the following command: 
sudo /opt/vmware/sddc-support/sos --option-name
Enter the vcf password when prompted.
Option Description

--help

-h

Provides a summary of the available SoS utility options

--version

-v

Provides the SoS utility's version number.

SoS Utility Generic Options

These are generic options for the SoS utility. For these options, SSH in to the SDDC Manager VM using the vcf user account and enter the following command: 
sudo /opt/vmware/sddc-support/sos --option-name
Enter the vcf password when prompted.
Option Description
--history Displays the last 20 SoS operations performed.
--force
Allows SoS operations to be performed while workflows are running.
Note: It is recommended that you do not use this option.
--configure-sftp Configures SFTP for logs.
--setup-json SETUPJSON

Custom setup-json file for log collection.

SoS prepares the inventory automatically based on the environment where it is running. If you want to collect logs for a pre-defined set of components, you can create a setup.json file and pass the file as input to SoS. A sample JSON file is available on the SDDC Manager appliance at /opt/vmware/sddc-support/setup.sample.json.
--log-folder LOGFOLDER Specifies the name of the log directory.
--log-dir LOGDIR Specifies the directory to store the logs.
--enable-stats Activate SoS execution stats collection.
--debug-mode Runs the SoS utility in debug mode.
--zip Creates a zipped TAR file for the output.
--short Display detailed health results only for failures and warnings.
--domain-name DOMAINNAME

Specify the name of the workload domain name on which to perform the SoS operation.

To run the operation on all workload domains, specify --domain-name ALL.

Note:

If you omit the --domain-name flag and workload domain name, the SoS operation is performed only on the management domain.

You can combine --domain-name with --clusternames to further limit the scope of an operation. This can be useful in a scaled environment with a large number of ESXi hosts.
--clusternames CLUSTERNAMES

Specify the vSphere cluster names associated with a workload domain for which you want to collect ESXi and Workload Management (WCP) logs.

Enter a comma-separated list of vSphere clusters. For example, --clusternames cluster1, cluster2.

Note:

If you specify --domain-name ALL then the --clusternames option is ignored.

--skip-known-host-check Skips the specified check for SSL thumbprint for host in the known host.
--include-free-hosts Collect logs for free ESXi hosts, in addition to in-use ESXi hosts.
--include-precheck-report This option runs LCM upgrade prechecks and includes the LCM upgrade prechecks run report in SoS health check operations.

SoS Utility VMware Cloud Foundation Summary Options

These options provide summary details of the SDDC Manager instance, including components, services, and tasks.. For these options, SSH in to the SDDC Manager VM using the vcf user account and enter the following command: 
sudo /opt/vmware/sddc-support/sos --option-name
Enter the vcf password when prompted.
Option Description
--get-vcf-summary Returns information about your VMware Cloud Foundation system, including CEIP,workload domains, vSphere clusters, ESXi hosts, licensing, network pools, SDDC Manager, and VCF services.
--get-vcf-tasks-summary Returns information about VMware Cloud Foundation tasks, including the time the task was created and the status of the task.
--get-vcf-services-summary Returns information about SDDC Manager uptime and when VMware Cloud Foundation services (for example, LCM) started and stopped.

SoS Utility Fix-It-Up Options

Use these options to manage ESXi hosts and vCenter Servers, including enabling SSH and locking down hosts. For these options, SSH in to the SDDC Manager VM using the vcf administrative user account, enter su to switch to the root user, navigate to the /opt/vmware/sddc-support directory, and type the following command: 
./sos --option-name
Note:

For Fix-It-Up options, if you do not specify a workload domain, the command affects only the management domain.

Option Description

--enable-ssh-esxi

Applies SSH on all ESXi nodes in the specified workload domains.

  • To enable SSH on ESXi nodes in a specific workload domain, include the flag --domain-name DOMAINNAME.
  • To enable SSH on ESXi nodes in all workload domains, include the flag --domain-name ALL.

--disable-ssh-esxi

Deactivates SSH on all ESXi nodes in the specified workload domains.

  • To deactivate SSH on ESXi nodes in a specific workload domain, include the flag --domain-name DOMAINNAME.
  • To deactivate SSH on ESXi nodes in all workload domains, include the flag --domain-name ALL.

--enable-ssh-vc

Applies SSH on vCenter Server in the specified workload domains.

  • To enable SSH on vCenter in a specific workload domain, include the flag --domain-name DOMAINNAME.
  • To enable SSH on vCenter Servers in all workload domains, include the flag --domain-name ALL.

--disable-ssh-vc

Deactivates SSH on vCenter Servers in the specified workload domains.

  • To deactivate SSH on vCenter Server in a specific workload domain, include the flag --domain-name DOMAINNAME.
  • To deactive SSH on vCenter Servers in all workload domains, include the flag --domain-name ALL.

--enable-lockdown-esxi

Applies normal lockdown mode on all ESXi nodes in the specified workload domains.

  • To enable lockdown on ESXi nodes in a specific workload domain, include the flag --domain-name DOMAINNAME.
  • To enable lockdown on ESXi nodes in all workload domains, include the flag --domain-name ALL.

--disable-lockdown-esxi

Deactivates normal lockdown mode on ESXi nodes in the specified workload domains.

  • To deactivate lockdown on ESXi nodes in a specific workload domain, include the flag --domain-name DOMAINNAME.
  • To deactivate lockdown on ESXi nodes in all workload domains, include the flag --domain-name ALL.
--ondemand-service ONDEMANDSERVICE Execute commands on ESXi hosts, vCenter Servers. or SDDC Manager entities for a given workload domain. Specify the workload domain using --domain-name DOMAINNAME.

Replace ONDEMANDSERVICE with the path to a .yml input file. (Sample file available at: /opt/vmware/sddc-support/ondemand_command_sample.yml).

Warning: Contact Broadcom Support before using this option.
--ondemand-service JSON file path Include this flag to execute commands in the JSON format on all ESXi hosts in a workload domain. For example, /opt/vmware/sddc-support/<JSON file name>
--refresh-ssh-keys Refreshes the SSH keys.

SoS Utility Health Check Options

These SoS commands are used for checking the health status of various components or services, including connectivity, compute, storage, database, workload domains, and networks. For these options, SSH in to the SDDC Manager VM using the vcf user account and enter the following command: 
sudo /opt/vmware/sddc-support/sos --option-name
Enter the vcf password when prompted.

A green status indicates that the health is normal, yellow provides a warning that attention might be required, and red (critical) indicates that the component needs immediate attention.

Option Description
--health-check

Performs all available health checks.

Can be combined with --run-vsan-checks. For example: 
sudo /opt/vmware/sddc-support/sos --health-check --run-vsan-checks
--connectivity-health

Performs connectivity checks and validations for SDDC resources (NSX Managers, ESXi hosts, vCenter Servers, and so on). This check performs a ping status check, SSH connectivity status check, and API connectivity check for SDDC resources.
--services-health

Performs a services health check to confirm whether services within the SDDC Manager (like Lifecycle Management Server) and vCenter Server are running.

--compute-health

Performs a compute health check, including ESXi host licenses, disk storage, disk partitions, and health status.

--storage-health

Performs a check on the vSAN disk health of the ESXi hosts and vSphere clusters.

Can be combined with --run-vsan-checks. For example: 
sudo /opt/vmware/sddc-support/sos --storage-health --run-vsan-checks
--run-vsan-checks This option cannot be run on its own and must be combined with --health-check or --storage-health.

Runs a VM creation test to verify the vSAN cluster health. Running the test creates a virtual machine on each host in the vSAN cluster. The test creates a VM and deletes it. If the VM creation and deletion tasks are successful, assume that the vSAN cluster components are working as expected and the cluster is functional.

Note: You must not conduct the proactive test in a production environment as it creates network traffic and impacts the vSAN workload.
--ntp-health

Verifies whether the time on the components is synchronized with the NTP server in the SDDC Manager appliance. It also ensures that the hardware and software time stamp of ESXi hosts are within 5 minutes of the SDDC Manager appliance.

--dns-health Performs a forward and reverse DNS health check.
--general-health

Checks ESXi for error dumps and gets NSX Manager and cluster status.

--certificate-health

Verifies that the component certificates are valid and when they are expiring.

  • GREEN: Certificate expires in more than 30 days.
  • YELLOW: Certificate expires in 15-30 days.
  • RED: Certificate expires in less than 15 days.
--get-host-ips

Returns host names and IP addresses of ESXi hosts.

--get-inventory-info

Returns inventory details for the VMware Cloud Foundation components, such as vCenter Server NSX, SDDC Manager, and ESXi hosts. Optionally, add the flag --domain-name ALL to return details for all workload domains.

--password-health
Checks the status of passwords across VMware Cloud Foundation components. It lists components with passwords managed by VCF, the date a password was last changed, the password expiration date, and the number of days until expiration.
  • GREEN: Password expires in more than 15 days.
  • YELLOW: Password expires in 5-15 days.
  • RED: Password expires in less than 5 days.
--hardware-compatibility-report Validates ESXi hosts and vSAN devices and exports the compatibility report.
--version-health This operation checks the version of BOM components (vCenter Server, NSX, ESXi, and SDDC Manager). It compares the SDDC Manager inventory, the actual installed BOM component version, and the BOM component versions to detect any drift.
--json-output-dir JSONDIR Outputs the results of any health check as a JSON file to the specified directory, JSONDIR.

Example Health Check Commands:

  • Check the password health on the management domain only:
    ./sos --password-health
  • Check the connectivity health for all workload domains:
    ./sos --connectivity-health --domain-name ALL
  • Check the DNS health for the workload domain named sfo-w01:
    ./sos --dns-health --domain-name sfo-w01