Splunk Search

Why am I getting the following error after updating from 6.6.0 to 6.6.3: Invalid key in stanza [auditTrail] in /opt/splunk/etc/system/local/audit.conf

gregbo
Communicator

I'm getting this error: Invalid key in stanza [auditTrail] in /opt/splunk/etc/system/local/audit.conf

Looking at the audit.conf.spec, that key is no longer mentioned. In earlier versions it was. I couldn't find anything in the release notes about this.

0 Karma
1 Solution

nickhills
Ultra Champion

"Block signing" was removed in 6.3 when it was replaced by "data integrity".

Even though you may have had config in your audit.conf for keys, I don't think this has been doing anything at all since 6.3.
It looks like they tidied up the superfluous config between the versions you mention, so on the face of it, the solution is simply to remove those configurations because they have not been used for a few years.

Might be worth checking if you enabled DI following Splunk 6.3

If my comment helps, please give it a thumbs up!

View solution in original post

0 Karma

nickhills
Ultra Champion

"Block signing" was removed in 6.3 when it was replaced by "data integrity".

Even though you may have had config in your audit.conf for keys, I don't think this has been doing anything at all since 6.3.
It looks like they tidied up the superfluous config between the versions you mention, so on the face of it, the solution is simply to remove those configurations because they have not been used for a few years.

Might be worth checking if you enabled DI following Splunk 6.3

If my comment helps, please give it a thumbs up!
0 Karma

esix_splunk
Splunk Employee
Splunk Employee

Seems between 6.6.2 and 6.6.3 there were some features changed in the spec file. Im guessing this is around the privatekey and publickey keys in the config file?

0 Karma

gregbo
Communicator

yep, the privatekey and publickey keys

0 Karma

lqiao
Explorer

After our upgrade to 6.6.5 from 6.4.3, I am seeing the same error. Do you know more how to fix this? Thanks.

0 Karma

s2_splunk
Splunk Employee
Splunk Employee

Would you mind sharing the key name?

0 Karma

gregbo
Communicator

the privatekey and publickey keys

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...