Getting Data In
Highlighted

Universal Forwarder - AuditTrailManager - Private key error - No such file or directory

Communicator

Hi guys,

I got these error on pretty much all of my splunk universal forwarder.

03-06-2017 12:25:27.743 +1300 ERROR AuditTrailManager - Private key error Error opening /opt/splunkforwarder/etc/auth/audit/private.pem: No such file or directory
03-06-2017 12:25:07.360 +1300 WARN AuditTrailManager - Private key file does not exist but is defined in audit.conf - no local event signing will take place. You can create auditTrail keys if necessary by running splunk createssl audit-keys

I also found this had been marked as a known bug: SPL-119172, SPL-122917, SPL-122918
http://docs.splunk.com/Documentation/Splunk/6.4.6/ReleaseNotes/6.4.2

So my question is, is there any impact on this known bug? And what is the work around?

0 Karma
Highlighted

Re: Universal Forwarder - AuditTrailManager - Private key error - No such file or directory

Splunk Employee
Splunk Employee

As you mentioned this is a bug. This message should be benign, particularly on a forwarder. However, if you need the two keys that are missing to utilize the signedAudit = true stanzas in inputs.conf, create the audit keys by issuing the following command from $SPLUNK_HOME/bin/:

./splunk createssl audit-keys

OR

if you don't need to sign any events, remove the [auditTrail] stanza from $SPLUNK_HOME/etc/system/default/audit.conf.

Jacob
Sr. Technical Support Engineer

View solution in original post

Highlighted

Re: Universal Forwarder - AuditTrailManager - Private key error - No such file or directory

Communicator

Thanks jcrabb, that is really helpful!

0 Karma