Solved: Log spammed with "secd.authsys.lookup.failed"

gfz-marco · ‎2018-09-07

Hello

Recently our logs get spammed with "secd.authsys.lookup.failed" events on one of our nfs svms.

We can see that that an invalid UID is used but we can't see from which client.

How can we find the culprit, is this done by activating a security audit or is it hidden somewhere inside the logs?

Any tip would be appreciated.

Cheers

Marco

gfz-marco · ‎2018-11-16

After working for many days on this case with a netapp supporter, we could not find an "easy" way to identify these uids but i was presented with a workaround.

This involves a tcpdump on a node and filtering through the tracefile with wireshark.

Not really what i was looking for but this works for now and the supporter even created a feature request from our findings.

We'll see how that comes out...

I would say that they care at netapp, but it involves work on both sides.

View solution in original post

gfz-marco · ‎2018-09-18

Since we get around 1500-2000 events per day, i've opened a case now.

Lets wait and see about the outcome...

moep · ‎2018-09-28

I have seen similar events in the past and opened a case as well. NetApp is unable to identify the source because there is no logging of the client address. Also there is no auditing for NFSv3 access available. The log messages are completely useless this way. I complained about it, but as usual nobody cares at NetApp.

gfz-marco · ‎2018-11-16

After working for many days on this case with a netapp supporter, we could not find an "easy" way to identify these uids but i was presented with a workaround.

This involves a tcpdump on a node and filtering through the tracefile with wireshark.

Not really what i was looking for but this works for now and the supporter even created a feature request from our findings.

We'll see how that comes out...

I would say that they care at netapp, but it involves work on both sides.