I've had the same. In my case it was caused by the following configuration, which is part of the Enterprise Security (version 3.1.1) App:
$SPLUNK_HOME/etc/apps/SA-AuditAndDataProtection/default/audit.conf:
[filterSpec:event_whitelist:stashWhitelist]
sourcetype=stash
[filterSpec:event_blacklist:nothingElse]
all=True
[eventHashing]
filters=stashWhitelist,nothingElse
SOLNESS-2268: Disabling auditTrail signing by default
To enable, copy the following stanza to SA-AuditAndDataProtection/local/audit.conf
and swap the empty private/public key values for the populated ones
[auditTrail]
privateKey =
privateKey = $SPLUNK_HOME/etc/auth/audit/private.pem
publicKey =
publicKey = $SPLUNK_HOME/etc/auth/audit/public.pem
I also applied the proposed fix for the upgrade successfully, then reverted back.
... View more