Deployment Architecture

Unable to start splunkforwarder service on windows server

anoopambli
Communicator

I've installed universal (splunkforwarder-5.0.1-143156-x86-release.msi) on a windows 2003 server (32 bit) using commandline option

msiexec.exe /i "C:\temp\splunkforwarder-5.0.1-143156-x86-release.msi" AGREETOLICENSE=Yes LAUNCHSPLUNK=0 /quiet

I am trying to start splunkforwarder service after the installation is done but it is giving me this error message.

"Could not start Splunkforwarder service on Local computer. Error 1067: The process terminated unexpectedly"

Any idea how to fix this?

0 Karma

DanRogl
New Member

How does the service run? Under a domain account? If so grant the service account modify access to the Program Files\Splunk directory.

0 Karma

DaveSavage
Builder

Er Dan - I think we asked that question a few 'comments' / Q's ago? Check above...but essentially in the right space...

0 Karma

Drainy
Champion

have a look at splunkd.log in the splunk_home/var/log/splunk directory

0 Karma

anoopambli
Communicator

I tried /program files/Splunk/bin/splunk start and it gives error as below.

Splunk> CSI: Logfiles.

Checking prerequisites...
Checking mgmt port [8089]: open
Checking conf files for typos... Done
All preliminary checks passed.

Starting splunk server daemon (splunkd)...
SplunkForwarder: Starting (pid 7636)

Timed out waiting for splunkd to start.

0 Karma

DaveSavage
Builder

Further thoughts - have you tried starting Splunk manually to see where in the startup sequence it is failing?
/program files/Splunk/bin/splunk start or ..splunk start --accept-license for good measure?

0 Karma

Drainy
Champion

a forwarder doesn't have to have any inputs or outputs configured to start correctly. Have you had a look in your Windows Event logs to see if it logged any more detail? How are you trying to start it?

0 Karma

DaveSavage
Builder

Hmm...am not sure if it can 'wait' to find that param out, maybe it can. I didn't see it above, but there is another param if you are using a deploy server (DEPLOYMENT_SERVER="hostdets:port")?
The GUI option was the other suggestion, yes. However if you are entering the same info / or not, it may just be replicating the issue.
Can you try (either) with the FORWARD_SERVER...?

0 Karma

anoopambli
Communicator

I am using a domain account to perform this installation. I left out forward_server option as we wanted to put those config through a deployment server.

Manual installation through GUI also fails with the same error message.

0 Karma

DaveSavage
Builder

Anoopambli - did you set FORWARD_SERVER="destserver:port" so that the forwarder knows where it is sending logs to?
Are your domain rights / account ok, members of local Admin Group etc (maybe you are domain admin ;-)?

0 Karma
Get Updates on the Splunk Community!

Detecting Brute Force Account Takeover Fraud with Splunk

This article is the second in a three-part series exploring advanced fraud detection techniques using Splunk. ...

Buttercup Games: Further Dashboarding Techniques (Part 9)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...

Buttercup Games: Further Dashboarding Techniques (Part 8)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...