Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Deployment Architecture
- :
- Re: Splunk UF fail to install on Windows Server
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Splunk UF fail to install on Windows Server
Hi All,
I’m facing an issue while installing the Splunk Universal Forwarder on my Windows server using the MSI command.
From the installation logs I extracted (see below), it appears that the installer fails and rolls back because it is unable to install the regmon driver. Is there a way to exclude the installation of the regmon driver when running the MSI installer?
MSI (s) (24:C8) [12:22:57:569]: Hello, I'm your 64bit Elevated Non-remapped custom action server.
InstallRegmonDrv: Warning: Invalid property ignored: FailCA=.
InstallRegmonDrv: Info: Driver inf file: D:\Program Files\SplunkUniversalForwarder\bin\splunkdrv.inf.
InstallRegmonDrv: Info: Enter. Args: rundll32.exe, setupapi,InstallHinfSection DefaultInstall 128 D:\Program Files\SplunkUniversalForwarder\bin\splunkdrv.inf
InstallRegmonDrv: Info: SystemPath is: C:\Windows\system32\
InstallRegmonDrv: Info: Execute string: C:\Windows\system32\cmd.exe /c "C:\Windows\system32\rundll32.exe setupapi,InstallHinfSection DefaultInstall 128 D:\Program Files\SplunkUniversalForwarder\bin\splunkdrv.inf >> "C:\Users\PDCC07~1.RAD\AppData\Local\Temp\splunk.log" 2>&1"
InstallRegmonDrv: Error: Failed to create process : 0x5
InstallRegmonDrv: Warning: Failed to install regmon driver.
InstallRegmonDrv: Error 0x80004005: Cannot install regmon driver.
CustomAction InstallRegmonDrv returned actual error code 1603 (note this may not be 100% accurate if translation happened inside sandbox)
MSI (s) (24:38) [12:22:57:673]: Note: 1: 2265 2: 3: -2147287035
MSI (s) (24:38) [12:22:57:674]: User policy value 'DisableRollback' is 0
MSI (s) (24:38) [12:22:57:674]: Machine policy value 'DisableRollback' is 0
Action ended 12:22:57: InstallFinalize. Return value 3.
MSI (s) (24:38) [12:22:57:692]: Note: 1: 2318 2:
MSI (s) (24:38) [12:22:57:697]: Executing op: Header(Signature=1397708873,Version=500,Timestamp=1552900824,LangId=1033,Platform=589824,ScriptType=2,ScriptMajorVersion=21,ScriptMinorVersion=4,ScriptAttributes=1)
MSI (s) (24:38) [12:22:57:697]: Executing op: DialogInfo(Type=0,Argument=1033)
MSI (s) (24:38) [12:22:57:697]: Executing op: DialogInfo(Type=1,Argument=UniversalForwarder)
MSI (s) (24:38) [12:22:57:698]: Executing op: RollbackInfo(,RollbackAction=Rollback,RollbackDescription=Rolling back
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @HexalNull
What version are you installing? I have seen this issue on10.0.2 which causes this access denied issue (based on 'MSI (s) (24:38) [12:22:57:673]: Note: 1: 2265 2: 3: -2147287035')
If you are using 10.0.2 or lower please could you try again with the most recent version?
🌟 Did this answer help you? If so, please consider:
- Adding karma to show it was useful
- Marking it as the solution if it resolved your issue
- Commenting if you need any clarification
Your feedback encourages the volunteers in this community to continue contributing
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @livehybrid ,
Am running version 9.2.1 due to legacy OS windows 2016
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @HexalNull
In that case I would recommend trying an upgrade to 9.3.11 which was released 2 weeks ago and should have the fix in.
Version > 9.3.7 and < 9.4.0 does support Windows 2016 based on the docs at https://help.splunk.com/en/splunk-enterprise/get-started/install-and-upgrade/9.3/plan-your-splunk-en...
Please let me know how you get on!
🌟 Did this answer help you? If so, please consider:
- Adding karma to show it was useful
- Marking it as the solution if it resolved your issue
- Commenting if you need any clarification
Your feedback encourages the volunteers in this community to continue contributing
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @livehybrid
As that particular pool of servers are running legacy OS 2016 windows. We didn't push beyond the mentioned version in case of compatability issue.
Having said that, we have managed to install 100 plus of the same OS 2016 only a small set of around 20 servers that didn't went through with the mentioned error message.
Was scratching head to figure out what could have potentially went wrong....
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Are there any local host based FW or network shares or disks in use? Anything what is different than those servers where install has succeeded?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@HexalNull That's the catch. You are running a legacy OS and the Splunk UF version you are installing might not be compatible with Windows server 2016.
Please refer the below article published and try the resolution mentioned.
You could try version 9.2.9 and see if it succeeds the installation.
Solution:
>>
If this post addressed your question, you can:
- Give it karma to show appreciation 👍
- Mark it as the solution if it solved your issue ✔️
- Add a comment if you’d like more details ✏️
Acknowledging helpful answers keeps the community strong and motivates contributors to continue sharing their expertise.
>>
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The strange thing is that we managed to install for 100 + servers of the same build just a small set of around 20 servers that didn't went through with the mentioned error message.
Was scratching head to figure out what could have potentially went wrong....
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @HexalNull
Given that the error you're getting is Access Denied (0x80030005) [represented as decimal] it does sound like it could be a local policy/permission error or that Splunk UF is trying to access something on the failing host which is perhaps not present or configured differently on the others? Is this possible in your environment?
Are you able to try 9.3.11 to see if the issue has been fixed by Splunk as a bug?
🌟 Did this answer help you? If so, please consider:
- Adding karma to show it was useful
- Marking it as the solution if it resolved your issue
- Commenting if you need any clarification
Your feedback encourages the volunteers in this community to continue contributing
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@HexalNull When only a subset fails, the issue is usually environmental rather than compatibility. You could check system differences like any hardened policies that could interfere with the installer. Check for any Group policy restrictions or UAC settings. You could also try installing the suggested versions to those failed servers to see how it goes as well.
>>
If this post addressed your question, you can:
- Give it karma to show appreciation 👍
- Mark it as the solution if it solved your issue ✔️
- Add a comment if you’d like more details ✏️
Acknowledging helpful answers keeps the community strong and motivates contributors to continue sharing their expertise.
>>
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@HexalNull Try running the MSI with admin privileges using Run as administrator option to see if it solves the issue.
>>
If this post addressed your question, you can:
- Give it karma to show appreciation 👍
- Mark it as the solution if it solved your issue ✔️
- Add a comment if you’d like more details ✏️
Acknowledging helpful answers keeps the community strong and motivates contributors to continue sharing their expertise.
>>
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
It's ran under the admin privilleage, we have checked through the logs, installation are going well except when it reach the regmon installation where the process hit with an exit error code "CreateProcess 0x5" and the whole installation got roll back.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
It's with admin privilleage.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Index This | What travels the world but is also stuck in place?
Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data
Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...
