RPM Install Timeline Report

System Package Timeline

What packages where installed last? When exactly and in what sequence?

What just happened with this server anyway . . . I bet someone installed something . . .

Sure, yum.log show things installed with yum, but excludes manually installed RPMs, frequently the cause of the trouble now. Or maybe the yum.log is gone or you don't trust it. Perhaps some script kiddie just rooted the box and RPM installed some interesting things, etc. Maybe some RPMs were just updated but not using yum, etc.

My Timeline Vision

I wanted to make a command that would show, in reverse sequence by year, then month, day, and time (all in correct order with no jumping around, in actual complete reverse chronological order) all RPMs installed on a system. By looking at the head of this output, you could see exactly what RPMs had been recently installed, going backward in time day by day and hour by hour to the original system install if necessary. The idea was to create a complete RPM install time line and have it show all installs relative to each other with no anarchronisms.

It was a bit trickier than I thought to get the sort order correct, but after playing with the arguments I had it worked out.

Also fun was using the RPM query tags feature --qf so I could select out only the attributes I wanted displayed - the RPM name, version and date of install - ignoring all else for a very concise list.

This does the trick:

Callandor:~ # rpm -qa --qf '%{installtime:date} Installed: %{name} %{version} \n' |awk '{print $5, $2, $3, $1, $4, $6, $7, $8}' | sort -k 1,1nr -k 2,2Mr -k 3,3nr -k5,5dr | head -10

NOTE - DATE FORMAT:

See the section below on date format - this assumes you are using POSIX dates and times. If you are not, then the above will likely not work and you will get no output. Change your environment variables to POSIX or modify the awk statement for your environment.

This will list every single RPM install registered in the database in reverse sequence:

2008 May 30 Fri 18:12:49 Installed: yum-utils 1.1.6
2008 May 29 Thu 20:39:36 Installed: yumex 1.9.11
2008 May 29 Thu 20:39:33 Installed: yum 3.2.4
2008 May 29 Thu 20:39:30 Installed: yum-metadata-parser 1.1.2
2008 May 29 Thu 20:39:28 Installed: python-urlgrabber 3.1.0
2008 May 29 Thu 20:36:54 Installed: ettercap-NG 0.7.3
2008 May 29 Thu 20:35:52 Installed: libexpat0 1.95.8
2008 May 29 Thu 20:33:50 Installed: libnet 1.1.2.1
2008 May 29 Thu 20:19:54 Installed: knockd 0.5
2008 May 29 Thu 20:19:52 Installed: knock 0.5

The POSIX sort tags are explained here:

-k 1,1nr = Sort first on field one (year) (n)umerically (r)everse order

-k 2,2Mr = Sort next by field two (month) - but not alphabetically (not Apr, July, June, May) but rather in (M)onth order, but again (r)eversed - so nice of them to include a month sorting feature

-k 3,3nr = Sort next by field three (day) again in (numeric) order and (reversed) - puts all days in actual calendar order

-k 5,5dr = Sort install time as (d) phone book style processing - ignore anything other than numbers and letters, so ignore the : seperator and (r)everse the order - this allows the install time to be sorted correctly down to the hour, minute and second level. (Actually you don't need to specify the -k5,5 part; just a closing -dr argument will do.)

http://webtools.live2support.com/linux/sort.php

Had the magic missing pieces that helped to figure this out.

Filtering Specific Packages

You can easily add additional grep statements to focus on specific packages, rather than all installed RPMs. Here we select out any package having to do with MySQL regardless of the case of the package name, last years on bottom - recent months on top:

Callandor:/ # rpm -qa --qf '%{installtime:date} Installed: %{name} %{version}\n' |awk '{print $5, $2, $3, $1, $4, $6, $7, $8}' |grep -i mysql |sort -k 1,1nr -k 2,2Mr -k 3,3nr -k5,5dr | head -40

This adds the package version number and greps my any MySQL packages:

2008 Apr 15 Tue 22:06:49 Installed: bytefx-data-mysql 1.2.5
2008 Feb 12 Tue 23:52:08 Installed: mysql 5.0.45
2008 Feb 12 Tue 23:51:05 Installed: mysql-client 5.0.45
2008 Feb 12 Tue 23:43:39 Installed: libmysqlclient_r15 5.0.45
2008 Feb 12 Tue 23:43:33 Installed: libmysqlclient15 5.0.45
2008 Jan 23 Wed 10:45:33 Installed: php5-mysql 5.2.5
2007 Oct 28 Sun 13:18:54 Installed: mysql-administrator 5.0r12
2007 Oct 28 Sun 13:17:21 Installed: mysql-gui-tools 5.0r12

RPM Query Tags

You can easily add more fields from the RPM database using query tags. Here I am only using %{installtime} %{name} and %{version} however there are dozens of tags to pick from in the RPM database. You can create some pretty customized reports with them. To see all the tags available: rpm --quarytags

Some tags return arrays, which can be iterated through by enclosing the query in square brackets:

rpm -q --qf "[%{filenames} %{FILEMD5S}\n]" apache2

For more information on query tags and formats see here and here

Date Format

If the above example does not execute for you, ensure your date format is set to POSIX and not UTF8. I am using POSIX dates to have the month name displayed, etc. Otherwise the awk command will filter on the wrong fields and you will get no output.

Check your Bash environment variable, usually called $LANG (or $LC_TIME) to see your current setting, #echo $LANG or #echo LC_TIME. Set it temporarily with #export LANG=POSIX. To make the change permenant add this line to your .bashrc file in your home directory.

The difference is illustrated here:

-rw-r----- 1 root root 460K May 31 15:21 messages
This is POSIX date format

-rw-r-----  1 root root 460K 2008-05-31 15:21 messages
This is UTF8 date format

Some great commands for environmental commands are: