Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why am I getting the following error after updating from 6.6.0 to 6.6.3: Invalid key in stanza [auditTrail] in /opt/splunk/etc/system/local/audit.conf

gregbo
Communicator
‎09-20-2017 08:01 AM

I'm getting this error: Invalid key in stanza [auditTrail] in /opt/splunk/etc/system/local/audit.conf

Looking at the audit.conf.spec, that key is no longer mentioned. In earlier versions it was. I couldn't find anything in the release notes about this.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

nickhills
Ultra Champion
‎01-17-2018 01:27 PM

"Block signing" was removed in 6.3 when it was replaced by "data integrity".

Even though you may have had config in your audit.conf for keys, I don't think this has been doing anything at all since 6.3.
It looks like they tidied up the superfluous config between the versions you mention, so on the face of it, the solution is simply to remove those configurations because they have not been used for a few years.

Might be worth checking if you enabled DI following Splunk 6.3

If my comment helps, please give it a thumbs up!

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

nickhills
Ultra Champion
‎01-17-2018 01:27 PM

"Block signing" was removed in 6.3 when it was replaced by "data integrity".

Even though you may have had config in your audit.conf for keys, I don't think this has been doing anything at all since 6.3.
It looks like they tidied up the superfluous config between the versions you mention, so on the face of it, the solution is simply to remove those configurations because they have not been used for a few years.

Might be worth checking if you enabled DI following Splunk 6.3

If my comment helps, please give it a thumbs up!
0 Karma
Reply
Solved! Jump to solution

esix_splunk
Splunk Employee
Splunk Employee
‎09-20-2017 11:04 AM

Seems between 6.6.2 and 6.6.3 there were some features changed in the spec file. Im guessing this is around the privatekey and publickey keys in the config file?

0 Karma
Reply
Solved! Jump to solution

gregbo
Communicator
‎09-21-2017 03:00 AM

yep, the privatekey and publickey keys

0 Karma
Reply
Solved! Jump to solution

lqiao
Explorer
‎01-17-2018 12:42 PM

After our upgrade to 6.6.5 from 6.4.3, I am seeing the same error. Do you know more how to fix this? Thanks.

0 Karma
Reply
Solved! Jump to solution

s2_splunk
Splunk Employee
Splunk Employee
‎09-20-2017 10:32 AM

Would you mind sharing the key name?

0 Karma
Reply
Solved! Jump to solution

gregbo
Communicator
‎09-21-2017 02:59 AM

the privatekey and publickey keys

0 Karma
Reply
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...