While trying to install the 6.0.1 x64 universal forwarder on an Azure Server 2012 R2 Datacenter VM that has the ADDS roles installed, the install just "hangs" forever. It gets through the copy process, and I can see the four install messages in the Windows Application log, however it never completes.
This is the only meaningful log file I can locate (var\logs\splunk\splunkd-utility.log)
12-24-2013 12:34:44.977 -0800 INFO ServerConfig - My server name is "drewlabdc01".
12-24-2013 12:34:44.977 -0800 INFO ServerConfig - My hostname is "DREWLABDC01".
12-24-2013 12:34:45.008 -0800 INFO ServerConfig - Setting HTTP server compression state=on
12-24-2013 12:34:45.008 -0800 INFO ServerConfig - Setting HTTP client compression state=0 (false)
12-24-2013 12:34:45.008 -0800 INFO ServerConfig - Default output queue for file-based input: parsingQueue.
12-24-2013 12:34:45.805 -0800 INFO loader - Running utility: "check-transforms-keys"
12-24-2013 12:34:45.805 -0800 INFO loader - Getting configuration data from: C:\Program Files\SplunkUniversalForwarder\etc\myinstall\splunkd.xml
12-24-2013 12:34:45.805 -0800 INFO loader - SPLUNK_MODULE_PATH environment variable not found - defaulting to C:\Program Files\SplunkUniversalForwarder\etc\modules
12-24-2013 12:34:45.805 -0800 INFO loader - loading modules from C:\Program Files\SplunkUniversalForwarder\etc\modules
12-24-2013 12:34:45.805 -0800 INFO loader - Writing out composite configuration file: C:\Program Files\SplunkUniversalForwarder\var\run\splunk\composite.xml
12-24-2013 12:34:53.849 -0800 INFO loader - Splunkd starting (build 189883).
12-24-2013 12:34:53.849 -0800 INFO loader - System info: Windows, DREWLABDC01, 2, 6, x64.
12-24-2013 12:34:53.849 -0800 INFO loader - Detected 1 (virtual) CPUs and 1791MB RAM
12-24-2013 12:34:53.849 -0800 INFO loader - Maximum number of threads (approximate): 895
12-24-2013 12:34:53.849 -0800 INFO loader - Arguments are: "rest" "--noauth" "POST" "/services/apps/local/SplunkUniversalForwarder/enable"
12-24-2013 12:34:53.849 -0800 INFO loader - Getting configuration data from: C:\Program Files\SplunkUniversalForwarder\etc\myinstall\splunkd.xml
12-24-2013 12:34:53.849 -0800 INFO loader - SPLUNK_MODULE_PATH environment variable not found - defaulting to C:\Program Files\SplunkUniversalForwarder\etc\modules
12-24-2013 12:34:53.849 -0800 INFO loader - loading modules from C:\Program Files\SplunkUniversalForwarder\etc\modules
12-24-2013 12:34:53.849 -0800 INFO loader - Writing out composite configuration file: C:\Program Files\SplunkUniversalForwarder\var\run\splunk\composite.xml
12-24-2013 12:34:53.865 -0800 ERROR RESTTester - tenant service initialization failed
12-24-2013 12:34:53.865 -0800 INFO ServerConfig - My server name is "drewlabdc01".
12-24-2013 12:34:53.865 -0800 INFO ServerConfig - My hostname is "DREWLABDC01".
12-24-2013 12:34:53.880 -0800 INFO ServerConfig - Setting HTTP server compression state=on
12-24-2013 12:34:53.880 -0800 INFO ServerConfig - Setting HTTP client compression state=0 (false)
12-24-2013 12:34:53.880 -0800 INFO ServerConfig - Default output queue for file-based input: parsingQueue.
12-24-2013 12:34:54.865 -0800 WARN LocalAppsAdminHandler - User 'splunk-system-user' triggered the 'enable' action on app 'SplunkUniversalForwarder', and the following objects required a restart: default-mode, limits, server, web
12-24-2013 12:34:56.178 -0800 INFO loader - Splunkd starting (build 189883).
12-24-2013 12:34:56.178 -0800 INFO loader - System info: Windows, DREWLABDC01, 2, 6, x64.
12-24-2013 12:34:56.178 -0800 INFO loader - Detected 1 (virtual) CPUs and 1791MB RAM
12-24-2013 12:34:56.178 -0800 INFO loader - Maximum number of threads (approximate): 895
12-24-2013 12:34:56.178 -0800 INFO loader - Arguments are: "rest" "--noauth" "POST" "/servicesNS/nobody/SplunkUniversalForwarder/data/outputs/tcp/server" "name=drewsplunk.transnational.local:9997"
12-24-2013 12:34:56.178 -0800 INFO loader - Getting configuration data from: C:\Program Files\SplunkUniversalForwarder\etc\myinstall\splunkd.xml
12-24-2013 12:34:56.178 -0800 INFO loader - SPLUNK_MODULE_PATH environment variable not found - defaulting to C:\Program Files\SplunkUniversalForwarder\etc\modules
12-24-2013 12:34:56.178 -0800 INFO loader - loading modules from C:\Program Files\SplunkUniversalForwarder\etc\modules
12-24-2013 12:34:56.194 -0800 INFO loader - Writing out composite configuration file: C:\Program Files\SplunkUniversalForwarder\var\run\splunk\composite.xml
12-24-2013 12:34:56.194 -0800 ERROR RESTTester - tenant service initialization failed
12-24-2013 12:34:56.210 -0800 INFO ServerConfig - My server name is "drewlabdc01".
12-24-2013 12:34:56.210 -0800 INFO ServerConfig - My hostname is "DREWLABDC01".
12-24-2013 12:34:56.225 -0800 INFO ServerConfig - Setting HTTP server compression state=on
12-24-2013 12:34:56.225 -0800 INFO ServerConfig - Setting HTTP client compression state=0 (false)
12-24-2013 12:34:56.225 -0800 INFO ServerConfig - Default output queue for file-based input: parsingQueue.
I've tried re-installing it several times, both set as Local Data only and as a Remote Data setup using a domain service account with the privileges defined in the Prepare the Splunk App for Active Directory add-ons link.
The only way to close the installer is to start ending tasks (Installer GUI is responsive though) and eventually one of the processes flags a rollback. It usually errors stating it can't remove services, etc. I then reboot, clean the registry, reboot again and use PowerShell to remove the SplunkUniversalForwarder directory.
I'm trying to do this in a lab set-up before I pitch the universal forwarders as the right way to go to my management chain. This has not been a great success so far...
There is a known issue for hanging installs on 6.0.1
http://docs.splunk.com/Documentation/Splunk/latest/ReleaseNotes/Knownissues#Windows-specific_issues
"Installing the Windows universal forwarder with the Deployment Server and Indexer fields populated can cause the installation to hang. Leave these fields blank and the installation will complete successfully. (SPL-78756)"
I'm getting this issue with an ADDS domain controller, running 2008R2 (using the 64bit installer).
At first I thought this was due to the installation directory and UAC protecting the ProgFiles folder. But I've tried reinstalling to another drive entirely with the same issues.
Is the Splunk forwarder supported on a Windows Domain Controller at all?
Where is the log file located?
I managed to successfully finish the installation after installing .NET 4 on the server.
The error messages still appear in the log.
I'm getting the same issue on Win 2008 32 bit + R2 64 bit which are supported.
Hi,
We currently don't support Server 2012 R2. Can you try with Server 2012 instead which is officially supported.
I could potentially do that, however shouldn't the installer let me know it's an unsupported OS and not let me proceed?