All Apps and Add-ons

Trouble installing Splunk Universal forwarder using CLI install process

anandgattu
Explorer

I am trying to install Splunk Universal forwarder using CLI Install process. But, it doesn’t seem to install the software. Below is the command line I am using to install:

 

msiexec.exe /i splunkforwarder-8.0.2.1-f002026bad55-x64-release.msi /l*v install_splunkforwarder-x64-release.msi.log SPLUNKUSERNAME="username" SPLUNKPASSWORD="password" AGREETOLICENSE=Yes RECEIVING_INDEXER="SOME_INDEXER:PORT" WINEVENTLOG_APP_ENABLE=1 WINEVENTLOG_SEC_ENABLE=1 WINEVENTLOG_SYS_ENABLE=1 WINEVENTLOG_FWD_ENABLE=1 WINEVENT_SET_ENABLE=1 /quiet

 

 

Let me know if there is anything wrong with the script. Log indicates that the install is successful, but I dont see the software installed. 

Labels (1)

anandgattu
Explorer

I ran this in verbose mode so I could log the error and got this..

MSI (s) (14:B8) [18:54:17:279]: Note: 1: 1708 
MSI (s) (14:B8) [18:54:17:279]: Note: 1: 2205 2:  3: Error 
MSI (s) (14:B8) [18:54:17:279]: Note: 1: 2228 2:  3: Error 4: SELECT `Message` FROM `Error` WHERE `Error` = 1708 
MSI (s) (14:B8) [18:54:17:279]: Note: 1: 2205 2:  3: Error 
MSI (s) (14:B8) [18:54:17:279]: Note: 1: 2228 2:  3: Error 4: SELECT `Message` FROM `Error` WHERE `Error` = 1709 
MSI (s) (14:B8) [18:54:17:279]: Product: UniversalForwarder -- Installation failed.

MSI (s) (14:B8) [18:54:17:279]: Windows Installer installed the product. Product Name: UniversalForwarder. Product Version: 8.0.2.1. Product Language: 1033. Manufacturer: Splunk, Inc.. Installation success or error status: 1603.

MSI (s) (14:B8) [18:54:17:290]: Deferring clean up of packages/files, if any exist
MSI (s) (14:B8) [18:54:17:290]: MainEngineThread is returning 1603
MSI (s) (14:64) [18:54:17:290]: No System Restore sequence number for this installation.
=== Logging stopped: 10/7/2020  18:54:17 ===
MSI (s) (14:64) [18:54:17:293]: User policy value 'DisableRollback' is 0
MSI (s) (14:64) [18:54:17:293]: Machine policy value 'DisableRollback' is 0
MSI (s) (14:64) [18:54:17:293]: Incrementing counter to disable shutdown. Counter after increment: 0
MSI (s) (14:64) [18:54:17:294]: Note: 1: 1402 2: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\Rollback\Scripts 3: 2 
MSI (s) (14:64) [18:54:17:294]: Note: 1: 1402 2: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\Rollback\Scripts 3: 2 
MSI (s) (14:64) [18:54:17:294]: Decrementing counter to disable shutdown. If counter >= 0, shutdown will be denied.  Counter after decrement: -1
MSI (s) (14:64) [18:54:17:295]: Destroying RemoteAPI object.
MSI (s) (14:38) [18:54:17:295]: Custom Action Manager thread ending.
MSI (c) (1C:24) [18:54:17:297]: Decrementing counter to disable shutdown. If counter >= 0, shutdown will be denied.  Counter after decrement: -1
MSI (c) (1C:24) [18:54:17:298]: MainEngineThread is returning 1603
=== Verbose logging stopped: 10/7/2020  18:54:17 ===

Any idea what this means?

0 Karma

inventsekar
SplunkTrust
SplunkTrust

just want to ask you to make sure you followed these steps:

Configure your Windows environment prior to installation

The following steps are high-level. For step-by-step instructions, see Prepare your Windows network for a Splunk Enterprise installation as a network or domain user in the Splunk Enterprise Installation Manual.

  1. Create a security group for the user that you want to run the universal forwarder as.
  2. Add the user you want the universal forwarder to run as to this group.
  3. (Optional) Set up the universal forwarder user as a managed service account.
  4. Use the Group Policy Management Console to create and configure Group Policy or Local Security Policy objects for user rights assignments.
  5. Use the Group Policy Management Console to assign appropriate security rights to the universal forwarder user.
  6. If you use Active Directory, deploy the Group Policy objects with the updated settings.

Have credentials for the Splunk admin user ready

When you install the universal forwarder, you must create credentials for the Splunk administrator user. The installer does not create credentials for the user. Think of a user name and password and be ready to supply them when you perform the installation. If you do not supply at least a password during a silent installation, the universal forwarder can install without any users defined, which prevents login. You must then create a user-seed.conf file to fix the problem and restart the forwarder.

See Create secure administrator credentials in Securing Splunk for more information on how to create credentials for the Splunk administrator account.

 

(PS - i have given around 350+ karma points so far, received badge for that,.. maybe you also should start "Learn, Give Back, Have Fun")

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !

alonsocaio
Contributor

Hi @anandgattu 

Have you tried to run the installation without the "/quiet" option? Just to double check there is no error during the process.

I would also check permissions for the user that is running the install command.

alonsocaio
Contributor

@anandgattuI have tried running the installation using the command you provided.

Actually my log files have returned some errors and the forwarder was not installed.

In my case, the errors were happening due to password complexity. So, I would also reccomend you to check if you are meeting Splunk security requirements for admin password.

0 Karma

anandgattu
Explorer

@alonsocaio  I tried without /quiet, but still the same.  And the password I am using meets the password requirements for the admin password.

0 Karma

alonsocaio
Contributor

When you tried without the /quiet It returned you a successful installation from the Splunk installer window?

Also, could you please provide more information about OS version? Is it 32 or 64 bits?

0 Karma
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...