Getting Data In

Splunk forward on Windows server 2008, Exitcode 4

Explorer

I'm trying to install the splunk forwarder for Windows server 2008 R2 and I keep getting the same error. The error is:

Splunk installer was unable to start Splunk Services.
Please make sure you have provided the correct username and/or password, and the user you are trying to run Splunk as has the correct privileges. Exitcode="4"

Before I tried installing this in our production environment I installed it on a test system. I followed this guide http://docs.splunk.com/Documentation/Splunk/5.0.4/Installation/PrepareyourWindowsnetworkforaSplunkin... and everything worked just fine. I followed the same steps in production and all I get is this error. I have verified that all group, permmission and GPO settings are exactly the same in test and production (except the domain names)

Tags (3)
0 Karma

Explorer

Sorry for the long delay before responding, but running the sc query commands did not show anything. Listing all the services in the service console doesn't show the splunk services either. I have set the log on and service permissions and the log on as a batch job permissions to allow the splunk user.

I have set the splunk user to be part of the builtin administrator's group and still, no luck.

0 Karma

Splunk Employee
Splunk Employee

can you check that splunk was not installed previously on the machine by doing
sc query splunkd
sc query splunkweb?

if they exist you need to delete them first using "sc delete service_name"

if you are installing Splunk to run as a user make sure that it has
Permission to log on as a service
Permission to log on as a batch job

you can also temporary make your user a member of buitdin administrator group to make sure that this is not permission problem.

Explorer

Sorry for taking so long to respond.

I ran the sc query commands and it showed nothing, and in the services list in the services console they are not present.

I have set the "log on as a service" and "log on as a batch job" permissions to allow the splunk user to connect. I have added the splunk user to the builtin administrator group and still no luck.

0 Karma