Skip to main content
NetApp Knowledge Base

How to collect a SECD trace

Views:
6,958
Visibility:
Public
Votes:
2
Category:
ontap-9
Specialty:
nas
Last Updated:

Applies to

ONTAP 9

Description

  • While troubleshooting an authentication-related issue, it might be necessary to increase the verbosity of the Security Daemon (SECD).
  • The following outlines the options associated with the diag level command, along with its recommended usage.
    • diag level commands should only be used with the guidance of Netapp Support
    • by default SECD logs only errors and failed rpc commands
      • Once troubleshooting is completed, clear the tracing.
      • This will ensure no additional overhead is occurring on system by leaving an active trace running.
      • To clear, for all nodes perform the following: ::*> diag secd trace clear -node <node> -vserverids yes

Additional Information

  • SECD is a diag command, so these examples are not documented in any public-facing information.
    • This is an example of what command to run the trace
    • Read this document in its entirety to see all the different options:

test1::*> diag secd trace set -node test1-01 -vserverids main -trace-all yes

SECD trace setup basics:

  • secd  usage is restricted to diag level
  • set diag has to be invoked before you run the command.
    • Command example:

test1::*> diag secd trace ?
clear                       *Clear Trace Options
set                         *Set Trace Options
show                        *Show Trace

  • Confirm the current trace settings by using the show option.
    • If the trace settings match the parameters, use the clear option to remove all the current settings.    

test1::*> diag secd trace show -node test1-01
Trace Spec
---------------------------------------

Trace spec has not been set.

  • The following are the parameters available for use when setting up the trace. 
    • Note: The node is required whenever the set command is run: 

 test1::*> diag secd trace set ?
   [-node] <nodename>                   *Node
  [[-trace-all] {yes|no}]               *Trace All RPCs
  [ -vserverids <vserver>, ... ]        *Id List
  [ -ipaddrs <text>, ... ]              *Address List
  [ -domain-names <text>, ... ]         *Domain List
  [ -dc-names <text>, ... ]             *DC List
  [ -rpc-names <rpc_name>, ... ]        *RPC List
  [ -module-names <module_name>, ... ]  *Module List
  [ -trace-connectivity {yes|no} ]      *Trace Connection Errors

  • The following example sets a trace on the node test1-01, including a Storage Virtual Machine (SVM) called 'main'. 

test1::*> diag secd trace set -node test1-01 -vserverids main -trace-all yes
Trace spec is set successfully for trace-all Vservers.

  • Examine the trace parameters:

test1::*> diag secd trace show -node test1-01
Trace Spec
---------------------------------------
TraceAll:                     Tracing all RPCs
Vserver IDs:                  main

  • Note:
    • The commands associated with 'set' are cumulative, and those associated with 'clear' are subtractive.
    • Therefore, building on the example above, restrict the capture to a specific domain by running the following command:

test1::diag secd trace set -node test1-01 -domain-names test
Trace spec is set successfully for domains.

test1::diag secd trace show -node test1-01
Trace Spec
---------------------------------------
TraceAll:                     Tracing all RPCs
Domain names:                 test
Vserver IDs:                  main

  • Note:
    • The addition of the domain builds to the existing trace parameters containing the SVM ID, as does the addition of IP addresses to filter on, as shown below:
    • Limit the trace to a specific set of IP addresses:

test1:: secd trace set -node test1-01 -ipaddrs 10.10.10.10,10.10.10.11,10.10.10.12,10.10.10.13
Trace spec is set successfully for ipaddrs.

  • The trace filter now includes SVM ID, domain, and a list of specific IP addresses: 

test1::diag secd*> trace show  -node test1-01                                                                         
Trace Spec    
---------------------------------------
TraceAll:                     Tracing all RPCs
IP Addrs:                     10.10.10.10 10.10.10.11 10.10.10.12 10.10.10.13 
Domain names:                 test
Vserver IDs:                  main

  • As stated above, the clear option is subtractive.
    • As noted in the help context below, the inputs associated with each parameter are a 'YES' or 'NO'.

  test1::diag secd*> trace clear ?
   [-node] <nodename>               *Node
  [[-trace-all] {yes|no}]           *Clear Trace All
  [ -vserverids {yes|no} ]          *Clear VserverIds
  [ -ipaddrs {yes|no} ]             *Clear Ipaddrs
  [ -domain-names {yes|no} ]        *Clear Domains
  [ -dc-names {yes|no} ]            *Clear DC
  [ -rpc-names {yes|no} ]           *Clear RPC
  [ -module-names {yes|no} ]        *Clear Module
  [ -trace-connectivity {yes|no} ]  *Clear Trace Connection Errors

  • So, assuming that the following command clears the entire entry to be a false assumption (as seen in the show output below), ensure that you clear all your entries.
  • Note: Improperly clearing your parameters can cause issues with future log collection efforts: 

test1::diag secd trace clear  -node test1-01 -trace-all yes

test1::diag secd trace show  -node test1-01
Trace Spec
---------------------------------------
IP Addrs:                     10.10.10.10 10.10.10.11 10.10.10.12 10.10.10.13
Domain names:                 test
Vserver IDs:                  main

  • The following syntax removes the trace entry completely:

test1::diag secd trace clear -node test1-01 -ipaddrs yes -domain-names yes -vserverids yes

test1::diag secd trace show  -node test1-01
Trace Spec
---------------------------------------
Trace spec has not been set.

Procedure - Actual Trace collection:
  • Using the information above, it is possible to successfully set the trace parameters.
  • If you are not sure of the specific modules to key on, it is best to use the trace-all yes setting to ensure that you capture as much data as possible.
  • Perform the following steps:
  1. Prior to reproducing the issue, run the show command to verify the parameters and include them in the case data.
    NOTE:
    1) Ensure that the tracing is only enabled during the duration of the reproduction. As soon as the reproduction completes, disable tracing.
    2) It is essential to document all the related information involved in the reproduction.
        Information such as time/date, username, and information, IP addresses and who they belong to (client, LIF, DCs), filename, volume,
        and share information will greatly assist in log analysis.
     
  2. For trace collection sequence, see the following example:

 test1::> set d
Warning: These diagnostic commands are for use by NetApp personnel only.
Do you want to continue? {y|n}: y

test1::*> diag secd trace show -node test1-01
 Trace Spec
---------------------------------------
Trace spec has not been set.

test1::*> diag secd trace set -node test1-01 -vserverids main -trace-all yes
Trace spec set successfully for trace-all, Vservers.

test1::*> diag secd trace show -node test1-01
Trace Spec
---------------------------------------
TraceAll:                     Tracing all RPCs
Vserver IDs:                  main

 

  1. Completely clear all the aspects of the trace once the activity is completed.
    Run the show command to verify that the trace has not been set.
    test1::*> diag secd trace set -node test1-01 -vserverids main -trace-all no
    Trace spec set successfully for Vservers.
    Trace spec cleared successfully for trace-all.

    test1::*> diag secd trace show -node test1-01
    Trace Spec
    ---------------------------------------
    Vserver IDs:                  main

    test1::*> diag secd trace clear -node test1-01 -vserverids yes

    test1::*> diag secd trace show -node test1-01
    Trace Spec
    ---------------------------------------
    Trace spec has not been set.

     
  2. Generate a Type All AutoSupport from both the nodes (this will upload the SECD trace data):
    ::> autosupport invoke * -type all
    Note: The user can also upload the secd logs (/etc/log/mlog).

 

Sign in to view the entire content of this KB article.

New to NetApp?

Learn more about our award-winning Support

NetApp provides no representations or warranties regarding the accuracy or reliability or serviceability of any information or recommendations provided in this publication or with respect to any results that may be obtained by the use of the information or observance of any recommendations provided herein. The information in this document is distributed AS IS and the use of this information or the implementation of any recommendations or techniques herein is a customer's responsibility and depends on the customer's ability to evaluate and integrate them into the customer's operational environment. This document and the information contained herein may be used solely in connection with the NetApp products discussed in this document.