Archive

Why am I getting the following error after updating from 6.6.0 to 6.6.3: Invalid key in stanza [auditTrail] in /opt/splunk/etc/system/local/audit.conf

gregbo
Communicator

I'm getting this error: Invalid key in stanza [auditTrail] in /opt/splunk/etc/system/local/audit.conf

Looking at the audit.conf.spec, that key is no longer mentioned. In earlier versions it was. I couldn't find anything in the release notes about this.

0 Karma
1 Solution

nickhills
Ultra Champion

"Block signing" was removed in 6.3 when it was replaced by "data integrity".

Even though you may have had config in your audit.conf for keys, I don't think this has been doing anything at all since 6.3.
It looks like they tidied up the superfluous config between the versions you mention, so on the face of it, the solution is simply to remove those configurations because they have not been used for a few years.

Might be worth checking if you enabled DI following Splunk 6.3

If my comment helps, please give it a thumbs up!

View solution in original post

0 Karma

nickhills
Ultra Champion

"Block signing" was removed in 6.3 when it was replaced by "data integrity".

Even though you may have had config in your audit.conf for keys, I don't think this has been doing anything at all since 6.3.
It looks like they tidied up the superfluous config between the versions you mention, so on the face of it, the solution is simply to remove those configurations because they have not been used for a few years.

Might be worth checking if you enabled DI following Splunk 6.3

If my comment helps, please give it a thumbs up!

View solution in original post

0 Karma

esix_splunk
Splunk Employee
Splunk Employee

Seems between 6.6.2 and 6.6.3 there were some features changed in the spec file. Im guessing this is around the privatekey and publickey keys in the config file?

0 Karma

gregbo
Communicator

yep, the privatekey and publickey keys

0 Karma

lqiao
Explorer

After our upgrade to 6.6.5 from 6.4.3, I am seeing the same error. Do you know more how to fix this? Thanks.

0 Karma

s2_splunk
Splunk Employee
Splunk Employee

Would you mind sharing the key name?

0 Karma

gregbo
Communicator

the privatekey and publickey keys

0 Karma