Hi guys,
I got these error on pretty much all of my splunk universal forwarder.
03-06-2017 12:25:27.743 +1300 ERROR AuditTrailManager - Private key error Error opening /opt/splunkforwarder/etc/auth/audit/private.pem: No such file or directory
03-06-2017 12:25:07.360 +1300 WARN AuditTrailManager - Private key file does not exist but is defined in audit.conf - no local event signing will take place. You can create auditTrail keys if necessary by running splunk createssl audit-keys
I also found this had been marked as a known bug: SPL-119172, SPL-122917, SPL-122918
http://docs.splunk.com/Documentation/Splunk/6.4.6/ReleaseNotes/6.4.2
So my question is, is there any impact on this known bug? And what is the work around?
As you mentioned this is a bug. This message should be benign, particularly on a forwarder. However, if you need the two keys that are missing to utilize the signedAudit = true stanzas in inputs.conf, create the audit keys by issuing the following command from $SPLUNK_HOME/bin/:
./splunk createssl audit-keys
OR
if you don't need to sign any events, remove the [auditTrail] stanza from $SPLUNK_HOME/etc/system/default/audit.conf.
As you mentioned this is a bug. This message should be benign, particularly on a forwarder. However, if you need the two keys that are missing to utilize the signedAudit = true stanzas in inputs.conf, create the audit keys by issuing the following command from $SPLUNK_HOME/bin/:
./splunk createssl audit-keys
OR
if you don't need to sign any events, remove the [auditTrail] stanza from $SPLUNK_HOME/etc/system/default/audit.conf.
Thanks jcrabb, that is really helpful!