Getting Data In

Splunk not starting upon Windows command-line msiexec install

Motivator

Here's an odd one. Anyone run into this before?

I am at a client and have put together a package based on this answer to install on multiple flavors of Windows automagically along with a set of config files.

The batch file runs fine and installs Splunk with the custom config, but Splunk does not run. When attempting to start it from the services panel after the install, it says can not log on (to the domain account).

Going into the Log On section of the splunkd service properties, a hidden password and the correct user entered in the batch file are there, and re-entering the password gives a "granted permission to log on as a service" message and allows Splunk to start. The odd thing is that upon un-installing Splunk and re-running the batch file to install, it runs perfectly.

Anyone see this before? Is it a Splunk thing? It's almost as if Splunk isn't passing Windows the proper password in the msiexec line, but when entered in the properties window Windows caches the password and uses it on further installs properly.

Here is the msiexec used. I have tried with and without quotes around the username and password, neither runs. msiexec.exe /i "%SPLUNK_MSI%" INSTALLDIR="%LOC%" RBG_LOGON_INFO_USER_CONTEXT=2 IS_NET_API_LOGON_USERNAME=DOM\user IS_NET_API_LOGON_PASSWORD=password LAUNCHSPLUNK=0 WINEVENTLOGAPPCHECK=0 WINEVENTLOGSYSCHECK=0 WINEVENTLOGSECCHECK=0 SPLUNK_APP="" /QUIET

0 Karma
1 Solution

Splunk Employee
Splunk Employee

It is because the user account you are using does not have the user right "Log on as a Service". (Administrative Tools, Local Security Policy) The Splunk installer can create the service and assign the user, but since the user can not actually execute services, it won't start.

Your re-entering the account in the MSC control panel tells MSC to add the right to the user account on the local machine. Once it is set for that user on the local machine, it will keep working. You can also set assign this right to the user or to a group that he is in using Group Policies.

View solution in original post

Splunk Employee
Splunk Employee

It is because the user account you are using does not have the user right "Log on as a Service". (Administrative Tools, Local Security Policy) The Splunk installer can create the service and assign the user, but since the user can not actually execute services, it won't start.

Your re-entering the account in the MSC control panel tells MSC to add the right to the user account on the local machine. Once it is set for that user on the local machine, it will keep working. You can also set assign this right to the user or to a group that he is in using Group Policies.

View solution in original post

Motivator

They say it is a user with domain admin privileges, I guess they assumed that right was on by default. I'll make sure they explicitly add that right. Thanks!

0 Karma

Motivator

http://technet.microsoft.com/en-us/library/cc739424(WS.10).aspx (Add the Log on as a service right to an account)