Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Universal Forwarder - AuditTrailManager - Private key error - No such file or directory

season88481
Contributor
‎03-05-2017 04:50 PM

Hi guys,

I got these error on pretty much all of my splunk universal forwarder.

03-06-2017 12:25:27.743 +1300 ERROR AuditTrailManager - Private key error Error opening /opt/splunkforwarder/etc/auth/audit/private.pem: No such file or directory
03-06-2017 12:25:07.360 +1300 WARN AuditTrailManager - Private key file does not exist but is defined in audit.conf - no local event signing will take place. You can create auditTrail keys if necessary by running splunk createssl audit-keys

I also found this had been marked as a known bug: SPL-119172, SPL-122917, SPL-122918
http://docs.splunk.com/Documentation/Splunk/6.4.6/ReleaseNotes/6.4.2

So my question is, is there any impact on this known bug? And what is the work around?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

jcrabb_splunk
Splunk Employee
Splunk Employee
‎03-09-2017 10:49 AM

As you mentioned this is a bug. This message should be benign, particularly on a forwarder. However, if you need the two keys that are missing to utilize the signedAudit = true stanzas in inputs.conf, create the audit keys by issuing the following command from $SPLUNK_HOME/bin/:

./splunk createssl audit-keys

OR

if you don't need to sign any events, remove the [auditTrail] stanza from $SPLUNK_HOME/etc/system/default/audit.conf.

Jacob
Sr. Technical Support Engineer

View solution in original post

Reply
Solved! Jump to solution
Solution

jcrabb_splunk
Splunk Employee
Splunk Employee
‎03-09-2017 10:49 AM

As you mentioned this is a bug. This message should be benign, particularly on a forwarder. However, if you need the two keys that are missing to utilize the signedAudit = true stanzas in inputs.conf, create the audit keys by issuing the following command from $SPLUNK_HOME/bin/:

./splunk createssl audit-keys

OR

if you don't need to sign any events, remove the [auditTrail] stanza from $SPLUNK_HOME/etc/system/default/audit.conf.

Jacob
Sr. Technical Support Engineer
Reply
Solved! Jump to solution

season88481
Contributor
‎03-09-2017 12:20 PM

Thanks jcrabb, that is really helpful!

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...