When there is a GSSAPI SASL failure, the log shows an authentication failure, but doesn't show the GSSAPI major/minor codes.
2014-07-29T10:21:06.818-0500 [initandlisten] connection accepted from 10.1.2.3:46996 #5 (1 connection now open) 2014-07-29T10:21:06.830-0500 [conn5] GSSAPI authentication failed for on $external ; AuthenticationFailed SASL(-13): authentication failure: GSSAPI Failure: gss_accept_sec_context 2014-07-29T10:21:06.833-0500 [conn5] end connection 10.1.2.3:46996 (0 connections now open)
We set a global log callback for SASL at https://github.com/10gen/mongo-enterprise-modules/blob/master/src/sasl/cyrus_sasl_authentication_session.cpp#L423, but for the SASL_LOG_FAIL log level, there's a comment that says " Logged elsewhere" and we throw the log message away. Either we need to document where the log message gets logged, or we need to make sure these messages aren't thrown away.
As a side-note, we also hard-code the SASL debug level to "3" (https://github.com/10gen/mongo-enterprise-modules/blame/master/src/sasl/cyrus_sasl_authentication_session.cpp#L161). This should be configurable, or it should always set the highest level and let the normal mongod logging utilities decide whether to discard messages or not.