Getting Data In

Splunk Universal Forwarder Deployment with SCCM

asofo
Path Finder

Hello,

We are trying to deploy the Splunk Universal Forwarder using Microsoft SCCM. I can successfully install the MSI from the command line using:

msiexec /i "splunkforwarder-6.3.0-aa7d4b1ccb80-x64-release.msi" AGREETOLICENSE=Yes DEPLOYMENT_SERVER="mydeploymentserver:8089" /quiet

However when our SCCM admin uses the same command in his deployment manager, the installation fails. According to the SCCM log, the error is:

[LOG[Failed to clear product> advertisement, error code> 1603]LOG]!> date="10-29-2015" component="execmgr"> context="" type="3" thread="17300"> file="msiexecution.cpp:264"

I know this is most likely an SCCM issue, but wanted to see if anyone out there has received a similar error or had a similar issue.

Thanks!

0 Karma

shartwell
Explorer

Could be the "/q" switch SCCM adds to packages when it deploys them.
Splunk already has a "/quiet" switch and the two together will prevent SCCM from deploying it.
You'll need to create a batch file which executes the MSI to get around this problem.

bohanlon_splunk
Splunk Employee
Splunk Employee
0 Karma

asofo
Path Finder

I saw that earlier, but the machines are Windows 7 and I checked all permissions. The weird thing is that there weren't any problems with the 6.0.1 version of the Universal Forwarder.

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...