Hi,
This is a very generic error which simply means 'An attempt is made to access the appliance by using invalid authentication credentials'.
1) Could be someone is attempting to access cluster using wrong credentials.
2) Could be someone changed the Cluster password, and/or someone or any NetApp/third-party Plug-in is still trying to access using old credentials. As you said, filer are upgraded (switched cluster?, is ontapi trying to access anything) so possibilities could be a lot.
Try '-instance' switch, see if it gives any further info:
::> event log show -message-name *security* -instance
Check the pattern (event time), is it doing at certain hour/minute or it's random.
If event log does not give much in-roads, then go to cluster logs:
https:<clust_mgmt_LIF>/spi/<node>/etc/log/mlog/
look for "mgwd" logs, open the log for the corresponding date/time since it's been generating. Go to specific date/time event and see why is it complaining. Once you get a clue, you can work accordingly.
Thanks!