ONTAP Discussions

remove CIFS error from event log ?

Greg_Wilson
5,327 Views

Is there any way to remove failed CIFS events out of the event logs ?

 

when i run event log show i get a lof of CIFS login errors.

 

ERROR secd.cifsAuth.problem: vserver (vs1) General CIFS authentication problem. Error: User authentication procedure failed

CIFS SMB2 Share mapping - Client Ip = 10.xx.xx.xx
[ 0 ms] Login attempt by domain user 'Lxxxxxxxxx3\Administrator' using NTLMv2 style security
[ 0] Using a cached connection to lxxxxxxxx3.ap.xxxxx.com
[ 2] Authentication failed with DC LXXXXXXXX3. Not retriable. (Status: 0xc0000064)
[ 2] Login attempt by local user 'LXXXXXXXXX3\Administrator' using NTLMv2 style security
**[ 2] FAILURE: CIFS authentication failed

 

Details
Event:
secd.cifsAuth.problem: vserver (vs1) General CIFS authentication problem. Error: User authentication procedure failed CIFS SMB2 Share mapping - Client Ip = 10.xx.xx.xx [ 0 ms] Login attempt by domain user 'LXXXXXXXX3\Administrator' using NTLMv2 style security [ 0] Using a cached connection to lxxxxxxx3.ap.xxx.xxx [ 2] Authentication failed with DC Lxxxxxxxx3. Not retriable. (Status: 0xc0000064) [ 2] Login attempt by local user 'LXXXXXXXX3\Administrator' using NTLMv2 style security **[ 2] FAILURE: CIFS authentication failed
Message Name:
secd.cifsAuth.problem
Sequence Number:
273996
Description:
This message occurs when a CIFS authentication attempt fails for any reason other than an unknown user name or bad password.
Action:
Examine the failure details to determine corrective action. Common failures include the inability to communicate with domain controllers, NIS servers, or LDAP servers due to connectivity or configuration problems.

 

We get our support desk to login and check of there are errors and there are lots of these

 

Any ideas how to remove these ?

 

can i edit the event catalog and change this to an Alert ?

 


Message Name: secd.cifsAuth.problem
Severity: ERROR
Description: This message occurs when a CIFS authentication attempt fails for any reason other than an unknown user name or bad password.
Corrective Action: Examine the failure details to determine corrective action. Common failures include the inability to communicate with domain controllers, NIS servers, or LDAP servers due to connectivity or configuration problems.
SNMP Trap Type: Severity-based
Is Deprecated: false

 

 

3 REPLIES 3

Ontapforrum
5,272 Views

Hi,

 

These are internal system generated EVENTS, categorized according to its severity. I don't think they are modifiable. You can only create custom filters for notifications but that will not serve your purpose.

 

::> event catalog show -message-name secd.cifsAuth.problem
Severity: ERROR


If it's not bothering you, then simply ignore it. We see number of such errors on our  cDOT logged everyday for various reasons such as : Local account trying to authenticate with Domain and hence falling back on NTLM authentication method. This is just one example, but the suggestion here is : If it's NOT a concern , then simply ignore it or if the users are experiecing issues with CIFS logging then troubleshoot it.

 

Some info for reference:
secd.log location :/mroot/etc/log/mlog

 

To filter events specific to secd:
:*> event log show -messagename secd.*

 

Most recommended article:

Troubleshooting Workflow: CIFS Authentication failures:
https://kb.netapp.com/app/answers/answer_view/a_id/1006780

 

Thanks!

GidonMarcus
5,258 Views

Hi,

 

I'm missing the ONTAP version in your message. See this thread please with a few possible bugs:

https://community.netapp.com/t5/Data-ONTAP-Discussions/secd-conn-auth-failure/td-p/138189

 

In short- upgrade to the latest is recommended, if the issue persists you'll better open ticket with support to find the root cause for your environment.

Gidi Marcus (Linkedin) - Storage and Microsoft technologies consultant - Hydro IT LTD - UK

paul_stejskal
5,211 Views

Do you know WHY you're getting a bunch of authentication errors? It might be good to make sure you know why and it's expected before you just ignore it.

Public