How to collect a SECD trace
Applies to
ONTAP 9
Description
- While troubleshooting an authentication-related issue, it might be necessary to increase the verbosity of the Security Daemon (SECD).
- The following outlines the options associated with the diag level command, along with its recommended usage.
- diag level commands should only be used with the guidance of Netapp Support
- by default SECD logs only errors and failed rpc commands
- Once troubleshooting is completed, clear the tracing.
- This will ensure no additional overhead is occurring on system by leaving an active trace running.
- To clear, for all nodes perform the following:
::*> diag secd trace clear -node <node> -vserverids yes
Additional Information
- SECD is a diag command, so these examples are not documented in any public-facing information.
- This is an example of what command to run the trace
- Read this document in its entirety to see all the different options:
test1::*> diag secd trace set -node test1-01 -vserverids main -trace-all yes
SECD trace setup basics:
secd
usage is restricted to diag levelset diag
has to be invoked before you run the command.- Command example:
test1::*> diag secd trace ?
clear *Clear Trace Options
set *Set Trace Options
show *Show Trace
- Confirm the current trace settings by using the
show
option.- If the trace settings match the parameters, use the
clear
option to remove all the current settings.
- If the trace settings match the parameters, use the
test1::*> diag secd trace show -node test1-01
Trace Spec
---------------------------------------
Trace spec has not been set.
- The following are the parameters available for use when setting up the trace.
- Note: The node is required whenever the
set
command is run:
- Note: The node is required whenever the
test1::*> diag secd trace set ?
[-node] <nodename> *Node
[[-trace-all] {yes|no}] *Trace All RPCs
[ -vserverids <vserver>, ... ] *Id List
[ -ipaddrs <text>, ... ] *Address List
[ -domain-names <text>, ... ] *Domain List
[ -dc-names <text>, ... ] *DC List
[ -rpc-names <rpc_name>, ... ] *RPC List
[ -module-names <module_name>, ... ] *Module List
[ -trace-connectivity {yes|no} ] *Trace Connection Errors
- The following example sets a trace on the node
test1-01,
including a Storage Virtual Machine (SVM) called 'main'.
test1::*> diag secd trace set -node test1-01 -vserverids main -trace-all yes
Trace spec is set successfully for trace-all Vservers.
- Examine the trace parameters:
test1::*> diag secd trace show -node test1-01
Trace Spec
---------------------------------------
TraceAll: Tracing all RPCs
Vserver IDs: main
- Note:
- The commands associated with '
set
' are cumulative, and those associated with 'clear
' are subtractive. - Therefore, building on the example above, restrict the capture to a specific domain by running the following command:
- The commands associated with '
test1::diag secd trace set -node test1-01 -domain-names test
Trace spec is set successfully for domains.
test1::diag secd trace show -node test1-01
Trace Spec
---------------------------------------
TraceAll: Tracing all RPCs
Domain names: test
Vserver IDs: main
- Note:
- The addition of the domain builds to the existing trace parameters containing the SVM ID, as does the addition of IP addresses to filter on, as shown below:
- Limit the trace to a specific set of IP addresses:
test1:: secd trace set -node test1-01 -ipaddrs 10.10.10.10,10.10.10.11,10.10.10.12,10.10.10.13
Trace spec is set successfully for ipaddrs.
- The trace filter now includes SVM ID, domain, and a list of specific IP addresses:
test1::diag secd*> trace show -node test1-01
Trace Spec
---------------------------------------
TraceAll: Tracing all RPCs
IP Addrs: 10.10.10.10 10.10.10.11 10.10.10.12 10.10.10.13
Domain names: test
Vserver IDs: main
- As stated above, the
clear
option is subtractive.- As noted in the help context below, the inputs associated with each parameter are a 'YES' or 'NO'.
test1::diag secd*> trace clear ?
[-node] <nodename> *Node
[[-trace-all] {yes|no}] *Clear Trace All
[ -vserverids {yes|no} ] *Clear VserverIds
[ -ipaddrs {yes|no} ] *Clear Ipaddrs
[ -domain-names {yes|no} ] *Clear Domains
[ -dc-names {yes|no} ] *Clear DC
[ -rpc-names {yes|no} ] *Clear RPC
[ -module-names {yes|no} ] *Clear Module
[ -trace-connectivity {yes|no} ] *Clear Trace Connection Errors
- So, assuming that the following command clears the entire entry to be a false assumption (as seen in the
show
output below), ensure that you clear all your entries. - Note: Improperly clearing your parameters can cause issues with future log collection efforts:
test1::diag secd trace clear -node test1-01 -trace-all yes
test1::diag secd trace show -node test1-01
Trace Spec
---------------------------------------
IP Addrs: 10.10.10.10 10.10.10.11 10.10.10.12 10.10.10.13
Domain names: test
Vserver IDs: main
- The following syntax removes the trace entry completely:
test1::diag secd trace clear -node test1-01 -ipaddrs yes -domain-names yes -vserverids yes
test1::diag secd trace show -node test1-01
Trace Spec
---------------------------------------
Trace spec has not been set.
Procedure - Actual Trace collection:
- Using the information above, it is possible to successfully set the trace parameters.
- If you are not sure of the specific modules to key on, it is best to use the
trace-all yes
setting to ensure that you capture as much data as possible. - Perform the following steps:
- Prior to reproducing the issue, run the
show
command to verify the parameters and include them in the case data.
NOTE:
1) Ensure that the tracing is only enabled during the duration of the reproduction. As soon as the reproduction completes, disable tracing.
2) It is essential to document all the related information involved in the reproduction.
Information such as time/date, username, and information, IP addresses and who they belong to (client, LIF, DCs), filename, volume,
and share information will greatly assist in log analysis.
- For trace collection sequence, see the following example:
test1::> set d
Warning: These diagnostic commands are for use by NetApp personnel only.
Do you want to continue? {y|n}: y
test1::*> diag secd trace show -node test1-01
Trace Spec
---------------------------------------
Trace spec has not been set.
test1::*> diag secd trace set -node test1-01 -vserverids main -trace-all yes
Trace spec set successfully for trace-all, Vservers.
test1::*> diag secd trace show -node test1-01
Trace Spec
---------------------------------------
TraceAll: Tracing all RPCs
Vserver IDs: main
- Completely clear all the aspects of the trace once the activity is completed.
Run theshow
command to verify that the trace has not been set.
test1::*> diag secd trace set -node test1-01 -vserverids main -trace-all no
Trace spec set successfully for Vservers.
Trace spec cleared successfully for trace-all.
test1::*> diag secd trace show -node test1-01
Trace Spec
---------------------------------------
Vserver IDs: main
test1::*> diag secd trace clear -node test1-01 -vserverids yes
test1::*> diag secd trace show -node test1-01
Trace Spec
---------------------------------------
Trace spec has not been set.
- Generate a Type All AutoSupport from both the nodes (this will upload the SECD trace data):
::> autosupport invoke * -type all
Note: The user can also upload thesecd
logs(/etc/log/mlog
).
- For more information, see article: How to upload a file to NetApp