Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Universal Forwarder - AuditTrailManager - Private key error - No such file or directory

season88481
Contributor
‎03-05-2017 04:50 PM

Hi guys,

I got these error on pretty much all of my splunk universal forwarder.

03-06-2017 12:25:27.743 +1300 ERROR AuditTrailManager - Private key error Error opening /opt/splunkforwarder/etc/auth/audit/private.pem: No such file or directory
03-06-2017 12:25:07.360 +1300 WARN AuditTrailManager - Private key file does not exist but is defined in audit.conf - no local event signing will take place. You can create auditTrail keys if necessary by running splunk createssl audit-keys

I also found this had been marked as a known bug: SPL-119172, SPL-122917, SPL-122918
http://docs.splunk.com/Documentation/Splunk/6.4.6/ReleaseNotes/6.4.2

So my question is, is there any impact on this known bug? And what is the work around?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

jcrabb_splunk
Splunk Employee
Splunk Employee
‎03-09-2017 10:49 AM

As you mentioned this is a bug. This message should be benign, particularly on a forwarder. However, if you need the two keys that are missing to utilize the signedAudit = true stanzas in inputs.conf, create the audit keys by issuing the following command from $SPLUNK_HOME/bin/:

./splunk createssl audit-keys

OR

if you don't need to sign any events, remove the [auditTrail] stanza from $SPLUNK_HOME/etc/system/default/audit.conf.

Jacob
Sr. Technical Support Engineer

View solution in original post

Reply
Solved! Jump to solution
Solution

jcrabb_splunk
Splunk Employee
Splunk Employee
‎03-09-2017 10:49 AM

As you mentioned this is a bug. This message should be benign, particularly on a forwarder. However, if you need the two keys that are missing to utilize the signedAudit = true stanzas in inputs.conf, create the audit keys by issuing the following command from $SPLUNK_HOME/bin/:

./splunk createssl audit-keys

OR

if you don't need to sign any events, remove the [auditTrail] stanza from $SPLUNK_HOME/etc/system/default/audit.conf.

Jacob
Sr. Technical Support Engineer
Reply
Solved! Jump to solution

season88481
Contributor
‎03-09-2017 12:20 PM

Thanks jcrabb, that is really helpful!

0 Karma
Reply
Get Updates on the Splunk Community!

Unlock Database Monitoring with Splunk Observability Cloud

  In today’s fast-paced digital landscape, even minor database slowdowns can disrupt user experiences and ...

Purpose in Action: How Splunk Is Helping Power an Inclusive Future for All

At Cisco, purpose isn’t a tagline—it’s a commitment. Cisco’s FY25 Purpose Report outlines how the company is ...

[Upcoming Webinar] Demo Day: Transforming IT Operations with Splunk

Join us for a live Demo Day at the Cisco Store on January 21st 10:00am - 11:00am PST In the fast-paced world ...