Getting Data In

Unable to install Splunk Forwarder on Windows Server 2008 R2 Domain Controller

kkossery
Communicator

I tried installing Splunk Forwarder splunkforwarder-6.0.1-189883-x64-release on a Domain Controller. The user is part of Domain Admins and is also on the Administrator's group. I get the following error,

Splunk Installer was unable to create Splunk services. Please make sure the user running the installer has the correct privileges, including being able to create Windows Services. Exitcode='1

I have gone through this link on splunk and gone through the steps listed by the expert but it doesn't seem to help.

http://answers.splunk.com/answers/42112/splunk-install-error-on-windows

I've also tried running the MSI as Run As Administrator but do not see the option listed after I right click on the package. Tried the Administrator command line, no luck.

Tags (2)
0 Karma
1 Solution

kkossery
Communicator

I followed this link and was able to install the forwarder
http://answers.splunk.com/answers/46988/splunk-installer-was-unable-to-create-splunk-services

Need to install on a different drive other than the C drive. I'm not sure why this happens. Maybe a Windows Admin can throw some light.

View solution in original post

0 Karma

rmsit
Communicator

I having similar issues installing the 6.0.1 universal forwarder for Windows Server 2008 R2 64bit. The install process hangs, doesn't even matter which options you select. The prior version (6.0) did not have this issue.

See if you can get a hold of the prior version 6.0, which installs fine. Fresh installs of version 6.0.1 fails on Windows Server 2008 R2 from my experience.

0 Karma

kkossery
Communicator

I followed this link and was able to install the forwarder
http://answers.splunk.com/answers/46988/splunk-installer-was-unable-to-create-splunk-services

Need to install on a different drive other than the C drive. I'm not sure why this happens. Maybe a Windows Admin can throw some light.

0 Karma

linu1988
Champion

Hello,
Are you able to install it normally without configuring the domain user? you can configure the service later.

Another verification:
Check if the service account/account has permission to log on as a service.

Local Security Policy->Local Policy->Users Rights Assignment-> Log on as a Service.

Ad your account in there, then try it.

Thanks

0 Karma

lukejadamec
Super Champion

Try running the MSI from inside a CMD window, but be sure the CMD window is running as administrator: right click CMD.exe and select Run As Administrator. The type the path to the msi in the CMD window and hit enter.

During the install you will be asked whether to install as a user or the system account. Select the user option and be sure to enter the username with the domain: domain\username

Also, be sure to enter the password correctly.

0 Karma

lukejadamec
Super Champion

Right, it is a forwarder.
First, Do Not try to run the msi as Administrator by right clicking the msi - That is Not An Option in W2K8 R2. Run a CMD.EXE as administrator, and then execute the msi from inside the CMD window.
Second, at the end of the install, UnCheck start the service.
Third, go to the services manager, and for the splunkd service enter the domain\username credentials for the service to run as. Then start the splunkd service.

0 Karma

kkossery
Communicator

thanks lukejadamec.
I tried doing this. On right click on the MSI package, I do not see an option to select Run As Administrator.
I tried doing it from the Administrator Command line, again no luck.

I didn't see an option to install this as a user or a system account. I did get an option though to install Splunk as
Local Data Only
Remote Windows Data
Selected Option 1.
It gives me the same error.

Is there a different Splunkforwarder executable that I need to use to install?

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...