Archive
Highlighted

Why am I getting the following error after updating from 6.6.0 to 6.6.3: Invalid key in stanza [auditTrail] in /opt/splunk/etc/system/local/audit.conf

Communicator

I'm getting this error: Invalid key in stanza [auditTrail] in /opt/splunk/etc/system/local/audit.conf

Looking at the audit.conf.spec, that key is no longer mentioned. In earlier versions it was. I couldn't find anything in the release notes about this.

0 Karma
Highlighted

Re: Why am I getting the following error after updating from 6.6.0 to 6.6.3: Invalid key in stanza [auditTrail] in /opt/splunk/etc/system/local/audit.conf

Splunk Employee
Splunk Employee

Would you mind sharing the key name?

0 Karma
Highlighted

Re: Why am I getting the following error after updating from 6.6.0 to 6.6.3: Invalid key in stanza [auditTrail] in /opt/splunk/etc/system/local/audit.conf

Communicator

the privatekey and publickey keys

0 Karma
Highlighted

Re: Why am I getting the following error after updating from 6.6.0 to 6.6.3: Invalid key in stanza [auditTrail] in /opt/splunk/etc/system/local/audit.conf

Splunk Employee
Splunk Employee

Seems between 6.6.2 and 6.6.3 there were some features changed in the spec file. Im guessing this is around the privatekey and publickey keys in the config file?

0 Karma
Highlighted

Re: Why am I getting the following error after updating from 6.6.0 to 6.6.3: Invalid key in stanza [auditTrail] in /opt/splunk/etc/system/local/audit.conf

Communicator

yep, the privatekey and publickey keys

0 Karma
Highlighted

Re: Why am I getting the following error after updating from 6.6.0 to 6.6.3: Invalid key in stanza [auditTrail] in /opt/splunk/etc/system/local/audit.conf

Explorer

After our upgrade to 6.6.5 from 6.4.3, I am seeing the same error. Do you know more how to fix this? Thanks.

0 Karma
Highlighted

Re: Why am I getting the following error after updating from 6.6.0 to 6.6.3: Invalid key in stanza [auditTrail] in /opt/splunk/etc/system/local/audit.conf

Ultra Champion

"Block signing" was removed in 6.3 when it was replaced by "data integrity".

Even though you may have had config in your audit.conf for keys, I don't think this has been doing anything at all since 6.3.
It looks like they tidied up the superfluous config between the versions you mention, so on the face of it, the solution is simply to remove those configurations because they have not been used for a few years.

Might be worth checking if you enabled DI following Splunk 6.3

View solution in original post

0 Karma