I'm getting this error: Invalid key in stanza [auditTrail] in /opt/splunk/etc/system/local/audit.conf
Looking at the audit.conf.spec, that key is no longer mentioned. In earlier versions it was. I couldn't find anything in the release notes about this.
Would you mind sharing the key name?
the privatekey and publickey keys
Seems between 6.6.2 and 6.6.3 there were some features changed in the spec file. Im guessing this is around the privatekey and publickey keys in the config file?
yep, the privatekey and publickey keys
After our upgrade to 6.6.5 from 6.4.3, I am seeing the same error. Do you know more how to fix this? Thanks.
"Block signing" was removed in 6.3 when it was replaced by "data integrity".
Even though you may have had config in your audit.conf for keys, I don't think this has been doing anything at all since 6.3.
It looks like they tidied up the superfluous config between the versions you mention, so on the face of it, the solution is simply to remove those configurations because they have not been used for a few years.
Might be worth checking if you enabled DI following Splunk 6.3