Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Why am I getting an error installing a universal forwarder on WIndows server 2008 R2 with a Powershell script?

jamesonf
New Member
‎06-16-2015 06:52 AM

Out of the 37 of our servers which this processed worked successfully without issue, I am running into an error on our final two servers. I would appreciate any assistance possible with this issue. In order to install the splunk forwarder, I am using the following PowerShell script:

####################################################
# Splunk Forwarder Production Install              #
#                                                  #
# Intended for use only with [REDACTED] servers. #
#                                                  #
# Last updated: 03.26.2015                         #
####################################################


############## Variable Declarations ###############

## Deployment specific variables
# $campus - Enter campus, in or bl
$campus = "bl"
# $dept - Enter campus code
$dept = "REDACTED"

## Declare static variables
$hostname = $env:COMPUTERNAME.ToLower()
$arch = $env:PROCESSOR_ARCHITECTURE
$os = "win"
$dpsrv = "in-hnet-dps01.hnet.iupui.edu:8089"
$filename = "deploymentclient.conf"
$path1 = "C:\Program Files\SplunkUniversalForwarder\etc\apps\zzz_config_base"
$path2 = "C:\Program Files\SplunkUniversalForwarder\etc\apps\zzz_config_base\local\"
$fullfile = $path2+$filename
$msi64 = "splunkforwarder-6.2.3-264376-x64-release.msi"
$msi86 = "splunkforwarder-6.2.1-245427-x86-release.msi"
$service = "SplunkForwarder"
$file = @"
[deployment-client]
clientName = $campus-$os-$dept-$hostname

[target-broker:deploymentServer]
targetUri=$dpsrv
"@

############## Begin function logic ###############

## Detect server architecture
Function Get-Arch
{
    echo "Detecting architecture..."
    If ($arch -eq "AMD64")
    {
        echo "...done."
        Install-x64
    }
    ElseIf ($arch -eq "x86")
    {
        echo "...done."
        Install-x86
    }
    Else
    {
        Error-Handling "architecture detection"
    }
}

## Install x64 version of forwarder
function Install-x64
{
    echo "Installing x64 forwarder..."
    msiexec.exe /i $msi64 AGREETOLICENSE=Yes /log log.txt /quiet | out-null
    If ($LASTEXITCODE -eq "0")
    { 
        echo "...done."
        Put-File $campus
    }
    ElseIf ($LASTEXITCODE -ne "0")
    {
        Error-Handling "splunk installation x64"
    }
}

## Install x86 version of forwarder 
function Install-x86
{
    echo "Installing x86 forwarder..."
    msiexec.exe /i $msi86 AGREETOLICENSE=Yes /log log.txt /quiet | out-null
    If ($LASTEXITCODE -eq "0")
    { 
        echo "...done."
        Put-File $campus
    }
    ElseIf ($LASTEXITCODE -ne "0")
    {
        Error-Handling "splunk installation x86"
    }
}

## Create config directory and conf file
Function Put-File
{
    echo "Creating base directory and conf file..."
    If (Test-Path $fullfile)
    {
        del $fullfile
    }
    Else
    {
        New-Item -ItemType directory -Path "$path1"
        New-Item -ItemType directory -Path "$path2"
    }

    $file > $fullfile
    echo "...done."
    echo "Restarting Splunk service..."
    Stop-Service -Name "$service"
    #Set-Service -Name "$service" -StartupType Disabled
    Start-Service -Name "$service"
    echo "...done."
}

## Output any errors that occur
Function Error-Handling ($error)
{
    Write-Output "Encountered an error at $error."
}

############## Begin script execution #############

Get-Arch
echo "Script complete."

Yet, I continue to receive an error; log details may be found below:

=== Logging started: 6/16/2015  9:42:41 ===
Action start 9:42:41: INSTALL.
Action start 9:42:41: SetAllUsers.
SetAllUsers:  Info: Registry setting for current user is not found.
SetAllUsers:  Info: ALLUSERS value for the existing installation: -1.
SetAllUsers:  Info: Set ALLUSERS property to 1.
SetAllUsers:  Info: Leave SetAllUsers: 0x0.
Action ended 9:42:41: SetAllUsers. Return value 1.
Action start 9:42:41: FindRelatedProducts.
Action ended 9:42:41: FindRelatedProducts. Return value 0.
Action start 9:42:41: GetPreviousSettings.
GetPreviousSettings:  Info: found installed splunk products: 
GetPreviousSettings:  Info: ProductCode: {E9FDEF0E-18D8-4DC9-A263-1539E24FCCF1}, ProductName: UniversalForwarder, ProductVersion: 6.2.3.264376 
GetPreviousSettings:  Info: skip installing drivers. To override this setting use FORCEINSTALLDRIVERS=1
GetPreviousSettings:  Info: Number of splunk products installed: 1
GetPreviousSettings:  Info: Leave GetPreviousSettings: 0x0.
Action ended 9:42:41: GetPreviousSettings. Return value 1.
Action start 9:42:41: CheckSupportedOs.
Action ended 9:42:41: CheckSupportedOs. Return value 1.
Action start 9:42:41: ValidateProductID.
Action ended 9:42:41: ValidateProductID. Return value 1.
Action start 9:42:41: CostInitialize.
Action ended 9:42:41: CostInitialize. Return value 1.
Action start 9:42:41: FileCost.
Action ended 9:42:41: FileCost. Return value 1.
Action start 9:42:41: CostFinalize.
Action ended 9:42:41: CostFinalize. Return value 1.
Action start 9:42:41: StopSplunkService.
StopSplunkService:  Info: Properties: splunkHome: C:\Program Files\SplunkUniversalForwarder\, svcName: SplunkForwarder.
StopSplunkService:  Info: Enter.
StopSplunkService:  Info: SplunkForwarder service does not exists.
Action ended 9:42:41: StopSplunkService. Return value 1.
Action start 9:42:41: InstallValidate.
Action ended 9:42:41: InstallValidate. Return value 1.
Action start 9:42:41: InstallInitialize.
Action ended 9:42:41: InstallInitialize. Return value 1.
Action start 9:42:41: SaveInstallLocation.
Action ended 9:42:41: SaveInstallLocation. Return value 1.
Action start 9:42:41: CheckLicenseAgreement.
Action ended 9:42:41: CheckLicenseAgreement. Return value 1.
Action start 9:42:41: ProcessComponents.
Action ended 9:42:42: ProcessComponents. Return value 1.
Action start 9:42:42: UnpublishFeatures.
Action ended 9:42:42: UnpublishFeatures. Return value 1.
Action start 9:42:42: StopSplunkServiceDefData.
Action ended 9:42:42: StopSplunkServiceDefData. Return value 1.
Action start 9:42:42: StopSplunkServiceDef.
Action ended 9:42:42: StopSplunkServiceDef. Return value 1.
Action start 9:42:42: RemoveAccountFromGroupsData.
Action ended 9:42:42: RemoveAccountFromGroupsData. Return value 1.
Action start 9:42:42: RemoveAccountFromGroups.
Action ended 9:42:42: RemoveAccountFromGroups. Return value 1.
Action start 9:42:42: RemoveRightsFromRegistryData.
Action ended 9:42:42: RemoveRightsFromRegistryData. Return value 1.
Action start 9:42:42: RemoveRightsFromRegistry.
Action ended 9:42:42: RemoveRightsFromRegistry. Return value 1.
Action start 9:42:42: RemoveGroupAndRightsFromRegData.
Action ended 9:42:42: RemoveGroupAndRightsFromRegData. Return value 1.
Action start 9:42:42: RemoveGroupAndRightsFromReg.
Action ended 9:42:42: RemoveGroupAndRightsFromReg. Return value 1.
Action start 9:42:42: UninstallSplunkServiceData.
Action ended 9:42:42: UninstallSplunkServiceData. Return value 1.
Action start 9:42:42: UninstallSplunkService.
Action ended 9:42:42: UninstallSplunkService. Return value 1.
Action start 9:42:42: UninstallRegmonDrvData.
Action ended 9:42:42: UninstallRegmonDrvData. Return value 1.
Action start 9:42:42: UninstallRegmonDrv.
Action ended 9:42:42: UninstallRegmonDrv. Return value 1.
Action start 9:42:42: UninstallNetmonDrvData.
Action ended 9:42:42: UninstallNetmonDrvData. Return value 1.
Action start 9:42:42: UninstallNetmonDrv.
Action ended 9:42:42: UninstallNetmonDrv. Return value 1.
Action start 9:42:42: UninstallNohandleDrvData.
Action ended 9:42:42: UninstallNohandleDrvData. Return value 1.
Action start 9:42:42: UninstallNohandleDrv.
Action ended 9:42:42: UninstallNohandleDrv. Return value 1.
Action start 9:42:42: RemoveFiles.
Action ended 9:42:42: RemoveFiles. Return value 0.
Action start 9:42:42: RemoveSplunkHomeData.
Action ended 9:42:42: RemoveSplunkHomeData. Return value 1.
Action start 9:42:42: RemoveSplunkHome.
Action ended 9:42:42: RemoveSplunkHome. Return value 1.
Action start 9:42:42: InstallFiles.
Action ended 9:42:42: InstallFiles. Return value 1.
Action start 9:42:42: SetAclsData.
Action ended 9:42:42: SetAclsData. Return value 1.
Action start 9:42:42: SetAcls.
Action ended 9:42:42: SetAcls. Return value 1.
Action start 9:42:42: EnableEventLogsData.
Action ended 9:42:42: EnableEventLogsData. Return value 1.
Action start 9:42:42: EnableEventLogs.
Action ended 9:42:42: EnableEventLogs. Return value 1.
Action start 9:42:42: StartSplunkServiceData.
Action ended 9:42:42: StartSplunkServiceData. Return value 1.
Action start 9:42:42: StartSplunkService.
Action ended 9:42:42: StartSplunkService. Return value 1.
Action start 9:42:42: RegisterUser.
Action ended 9:42:42: RegisterUser. Return value 0.
Action start 9:42:42: RegisterProduct.
Action ended 9:42:42: RegisterProduct. Return value 1.
Action start 9:42:42: PublishFeatures.
Action ended 9:42:42: PublishFeatures. Return value 1.
Action start 9:42:42: PublishProduct.
Action ended 9:42:42: PublishProduct. Return value 1.
Action start 9:42:42: InstallFinalize.
StopSplunkServiceDef:  Warning: Invalid property ignored: FailCA=.
StopSplunkServiceDef:  Info: Properties: splunkHome: C:\Program Files\SplunkUniversalForwarder, svcName: SplunkForwarder.
StopSplunkServiceDef:  Info: Enter.
StopSplunkServiceDef:  Info: SplunkForwarder service does not exists.
RemoveAccountFromGroups:  Warning: Invalid property ignored: FailCA=.
RemoveAccountFromGroups:  Warn: empty user name from registry
RemoveRightsFromRegistry:  Warning: Invalid property ignored: FailCA=.
RemoveRightsFromRegistry:  Warn: cannot open key: SYSTEM\CurrentControlSet\services\SplunkForwarder.
RemoveRightsFromRegistry:  Warn: cannot RemoveRightsFromRegistry.
RemoveGroupAndRightsFromReg:  Warning: Invalid property ignored: FailCA=.
RemoveGroupAndRightsFromReg:  Info: key SYSTEM\CurrentControlSet\services\SplunkForwarder\ObjectName not found in registry
RemoveGroupAndRightsFromReg:  Info: key SYSTEM\CurrentControlSet\services\SplunkForwarder\RemoveAccountRights not found in registry
RemoveGroupAndRightsFromReg:  Info: key SYSTEM\CurrentControlSet\services\SplunkForwarder\RemoveLocalGroups not found in registry
UninstallSplunkService:  Warning: Invalid property ignored: FailCA=.
UninstallSplunkService:  Info: Properties: splunkHome: C:\Program Files\SplunkUniversalForwarder, svcName: SplunkForwarder.
UninstallSplunkService:  Info: Enter.
UninstallSplunkService:  Info: SplunkForwarder service does not exists.
UninstallRegmonDrv:  Warning: Invalid property ignored: FailCA=.
UninstallRegmonDrv:  Info: Driver inf file: C:\Program Files\SplunkUniversalForwarder\bin\splunkdrv-win6.inf.
UninstallRegmonDrv:  Info: Enter.
UninstallRegmonDrv:  Info: Service: splunkdrv-win6, state: 1.
UninstallRegmonDrv:  Info: splunkdrv-win6 service does not exists.
UninstallRegmonDrv:  Error: DriverPackageUninstall failed with: 0x3.
UninstallRegmonDrv:  Warning: Failed to uninstall regmon driver.
UninstallNetmonDrv:  Warning: Invalid property ignored: FailCA=.
UninstallNetmonDrv:  Info: Driver inf file: C:\Program Files\SplunkUniversalForwarder\bin\splknetdrv-vista.inf.
UninstallNetmonDrv:  Info: Enter.
UninstallNetmonDrv:  Info: Service: splknetdrv, state: 1.
UninstallNetmonDrv:  Info: splknetdrv service does not exists.
UninstallNetmonDrv:  Error: DriverPackageUninstall failed with: 0x3.
UninstallNetmonDrv:  Warning: Failed to uninstall netmon driver.
UninstallNohandleDrv:  Warning: Invalid property ignored: FailCA=.
UninstallNohandleDrv:  Info: Driver inf file: C:\Program Files\SplunkUniversalForwarder\bin\SplunkMonitorNoHandleDrv-vista.inf.
UninstallNohandleDrv:  Info: Enter.
UninstallNohandleDrv:  Info: Service: SplunkMonitorNoHandle, state: 1.
UninstallNohandleDrv:  Info: SplunkMonitorNoHandle service does not exists.
UninstallNohandleDrv:  Error: DriverPackageUninstall failed with: 0x3.
UninstallNohandleDrv:  Warning: Failed to uninstall nohandle driver driver.
RemoveSplunkHome:  Warning: Invalid property ignored: KeepSplunkHome=.
RemoveSplunkHome:  Info: Remove SPLUNK_HOME directory.
RemoveSplunkHome:  Info: Enter. Args: rmdir /s /q "C:\Program Files\SplunkUniversalForwarder", 
RemoveSplunkHome:  Info: Execute string: cmd.exe /c "rmdir /s /q "C:\Program Files\SplunkUniversalForwarder"  >> "C:\Users\hcjkfadm\AppData\Local\Temp\splunk.log" 

2>&1"
RemoveSplunkHome:  Info: WaitForSingleObject returned : 0x0
RemoveSplunkHome:  Info: Exit code for process : 0x2
RemoveSplunkHome:  Info: Leave.
RemoveSplunkHome:  Warn: Failed to remove C:\Program Files\SplunkUniversalForwarder directory
SetAcls:  Warning: Invalid property ignored: FailCA=.
SetAcls:  Info: SetAcls: Apply admin ACLS to: C:\Program Files\SplunkUniversalForwarder\etc.
SetAcls:  Info: Enter. Args: icacls, "C:\Program Files\SplunkUniversalForwarder\etc" /T /C /grant *S-1-5-32-544:f
SetAcls:  Info: Execute string: cmd.exe /c "icacls "C:\Program Files\SplunkUniversalForwarder\etc" /T /C /grant *S-1-5-32-544:f >> "C:\Users\hcjkfadm\AppData\Local

\Temp\splunk.log" 2>&1"
SetAcls:  Info: WaitForSingleObject returned : 0x0
SetAcls:  Info: Exit code for process : 0x0
SetAcls:  Info: Leave.
SetAcls:  Info: SetAcls: Apply admin ACLS to: C:\Program Files\SplunkUniversalForwarder\var.
SetAcls:  Info: Enter. Args: icacls, "C:\Program Files\SplunkUniversalForwarder\var" /T /C /grant *S-1-5-32-544:f
SetAcls:  Info: Execute string: cmd.exe /c "icacls "C:\Program Files\SplunkUniversalForwarder\var" /T /C /grant *S-1-5-32-544:f >> "C:\Users\hcjkfadm\AppData\Local

\Temp\splunk.log" 2>&1"
SetAcls:  Info: WaitForSingleObject returned : 0x0
SetAcls:  Info: Exit code for process : 0x0
SetAcls:  Info: Leave.
EnableEventLogs:  Warning: Invalid property ignored: App=.
EnableEventLogs:  Warning: Invalid property ignored: Sec=.
EnableEventLogs:  Warning: Invalid property ignored: Sys=.
EnableEventLogs:  Warning: Invalid property ignored: Fwd=.
EnableEventLogs:  Warning: Invalid property ignored: Set=.
EnableEventLogs:  Warning: Invalid property ignored: FailCA=.
EnableEventLogs:  Warning: No event log is enabled. Skip the action.
StartSplunkService:  Warning: Invalid property ignored: FailCA=.
StartSplunkService:  Info: Properties: splunkHome: C:\Program Files\SplunkUniversalForwarder, svcName: SplunkForwarder, launch splunk: 1.
StartSplunkService:  Info: Enter.
StartSplunkService:  Error: SplunkForwarder service does not exists.
StartSplunkService:  Error 0x80004005: Splunkd service does not exist.
CustomAction StartSplunkService returned actual error code 1603 (note this may not be 100% accurate if translation happened inside sandbox)
Action ended 9:42:58: InstallFinalize. Return value 3.
Action ended 9:42:58: INSTALL. Return value 3.
Property(S): UpgradeCode = {64B13631-6664-4F23-AFE2-98FCE86920BD}
Property(S): SET_ADMIN_USER = 1
Property(S): INSTALLDIR = C:\Program Files\SplunkUniversalForwarder\
Property(S): dirA5528701EE26FFBF346CCE20EE8ACE99 = C:\Program Files\SplunkUniversalForwarder\bin\
Property(S): dirE99B67BA83CA9B283DA87308D2AB32C0 = C:\Program Files\SplunkUniversalForwarder\bin\scripts\
Property(S): dir3E02976F57563947ADB6A8038DF4FCEF = C:\Program Files\SplunkUniversalForwarder\etc\
Property(S): dirFB7FAFCA28F7419DE35973B35C5D283E = C:\Program Files\SplunkUniversalForwarder\etc\apps\introspection_generator_addon\bin\
Property(S): dirA4925C017BDFD103F37D0BDE702E9C43 = C:\Program Files\SplunkUniversalForwarder\etc\apps\introspection_generator_addon\default\
Property(S): dir7C2F815EE2C9E7DBE85066CF5B056987 = C:\Program Files\SplunkUniversalForwarder\etc\apps\learned\default\
Property(S): dir28F70AA0D15CA730061DB84FFE88D805 = C:\Program Files\SplunkUniversalForwarder\etc\apps\learned\metadata\
Property(S): dir0ABBB45398994B5C89841ED05851776C = C:\Program Files\SplunkUniversalForwarder\etc\apps\search\default\
Property(S): dir05B2167CF0ED7EFD2AD93158875F568C = C:\Program Files\SplunkUniversalForwarder\etc\apps\search\lookups\
Property(S): dir66FC566CEF189328CCCC8589311D2503 = C:\Program Files\SplunkUniversalForwarder\etc\apps\search\metadata\
Property(S): dir2D2122E4CFDE8C263EEE7452554D6DA2 = C:\Program Files\SplunkUniversalForwarder\etc\apps\SplunkUniversalForwarder\default\
Property(S): dirF389DCA026B8D0A2E829970DE12F66F0 = C:\Program Files\SplunkUniversalForwarder\etc\apps\SplunkUniversalForwarder\metadata\
Property(S): dir2A81299A0652E91159BE1994DD92316A = C:\Program Files\SplunkUniversalForwarder\etc\auth\
Property(S): dir67189055EBCF5D1437F0A9D30368ED9C = C:\Program Files\SplunkUniversalForwarder\etc\deployment-apps\
Property(S): dirA6241AC9F2CFDD1D7D4327FB5A124C92 = C:\Program Files\SplunkUniversalForwarder\etc\disabled-apps\
Property(S): dir3F2ED1881D5C561B698B737D96419537 = C:\Program Files\SplunkUniversalForwarder\etc\modules\input\exec\
Property(S): dir3C58D8B9DB7081CC9C009A2FA233FFFD = C:\Program Files\SplunkUniversalForwarder\etc\modules\input\fschangemanager\
Property(S): dir623F2857FD6CE56C0C7472F3CF4B157E = C:\Program Files\SplunkUniversalForwarder\etc\modules\input\structuredparsing\
Property(S): dirAAE2EA6FF6BFF3615E0F6ECB4F8B8317 = C:\Program Files\SplunkUniversalForwarder\etc\modules\input\tailfile\
Property(S): dir40C5047ABE9F85BC416CF37384338C22 = C:\Program Files\SplunkUniversalForwarder\etc\modules\input\TCP\
Property(S): dir500C5AB468B41B12914CAFC92914BB04 = C:\Program Files\SplunkUniversalForwarder\etc\modules\input\UDP\
Property(S): dir350E86D3D8394619D5C56BE268AB8C03 = C:\Program Files\SplunkUniversalForwarder\etc\modules\input\wineventlog\
Property(S): dir08A71AA8240CE634F2916BD8FD86AE9D = C:\Program Files\SplunkUniversalForwarder\etc\modules\input\winparsing\
Property(S): dir36980B38D75840D0DF3C22965AFE352F = C:\Program Files\SplunkUniversalForwarder\etc\modules\parsing\
Property(S): dirEA4E77DDDE1ED87692CD92A2F7477FDA = C:\Program Files\SplunkUniversalForwarder\etc\myinstall\
Property(S): dir62FE35BBE7BD45CAEAB9D4261B2C1DA9 = C:\Program Files\SplunkUniversalForwarder\etc\shcluster\apps\
Property(S): dir7A9E1C63375946BEF53B8BCD2F9EB32B = C:\Program Files\SplunkUniversalForwarder\etc\shcluster\users\
Property(S): dir5320F257A67DB36A4CED85E00FC63DD0 = C:\Program Files\SplunkUniversalForwarder\etc\system\bin\
Property(S): dirBAC85229BB4A3494F5ECCB42AA1B824B = C:\Program Files\SplunkUniversalForwarder\etc\system\default\
Property(S): dirD3351CCE95594E87E2CC36C1024B5B4C = C:\Program Files\SplunkUniversalForwarder\etc\system\local\
Property(S): dir858D19BEE324185B277CA79FFC48EDEE = C:\Program Files\SplunkUniversalForwarder\etc\system\metadata\
Property(S): dir5083584ADFC4261D3780F7B66CB3B7B3 = C:\Program Files\SplunkUniversalForwarder\etc\system\README\
Property(S): dir087F918F10A120B6907E2460F0868A49 = C:\Program Files\SplunkUniversalForwarder\etc\system\static\
Property(S): dirCC4BF51C3FB0120CE9B785729700549B = C:\Program Files\SplunkUniversalForwarder\lib\
Property(S): dir9777D8246D1EFF4BCE1BBB3725F54761 = C:\Program Files\SplunkUniversalForwarder\share\
Property(S): dirD3369B4CFA7BF6DCB57584A7F452CA0A = C:\Program Files\SplunkUniversalForwarder\share\splunk\
Property(S): dir9DF6D6597089BA01028EE58CBBF75736 = C:\Program Files\SplunkUniversalForwarder\share\splunk\3rdparty\
Property(S): WixUIRMOption = UseRM
Property(S): _UICertFile = UICertFile
Property(S): _UIRootCertFile = UIRootCertFile
Property(S): _UIMonPath = UIMonPath
Property(S): UIUseLocalSystem = 1
Property(S): UIUseBundledTA = 1
Property(S): _UIWinTAPath = UIWinTAPath
Property(S): WIXUI_INSTALLDIR = INSTALLDIR
Property(S): ALLUSERS = 1
Property(S): ARPNOMODIFY = yes
Property(S): ARPINSTALLLOCATION = C:\Program Files\SplunkUniversalForwarder\
Property(S): SetAcls = SplunkHome=C:\Program Files\SplunkUniversalForwarder\;FailCA=
Property(S): RemoveAccountFromGroups = SplunkSvcName=SplunkForwarder;FailCA=
Property(S): EnableEventLogs = SplunkHome=C:\Program Files\SplunkUniversalForwarder\;App=; Sec=; Sys=;Fwd=; Set=;FailCA=
Property(S): RemoveGroupAndRightsFromReg = SplunkSvcName=SplunkForwarder;FailCA=
Property(S): RemoveRightsFromRegistry = SplunkSvcName=SplunkForwarder;FailCA=
Property(S): StartSplunkService = SplunkHome=C:\Program Files\SplunkUniversalForwarder\;SplunkSvcName=SplunkForwarder;LaunchSplunk=1;FailCA=
Property(S): StopSplunkServiceDef = SplunkHome=C:\Program Files\SplunkUniversalForwarder\;SplunkSvcName=SplunkForwarder;FailCA=
Property(S): UninstallSplunkService = SplunkHome=C:\Program Files\SplunkUniversalForwarder\;SplunkSvcName=SplunkForwarder;FailCA=
Property(S): UninstallRegmonDrv = SplunkHome=C:\Program Files\SplunkUniversalForwarder\;FailCA=
Property(S): UninstallNetmonDrv = SplunkHome=C:\Program Files\SplunkUniversalForwarder\;FailCA=
Property(S): UninstallNohandleDrv = SplunkHome=C:\Program Files\SplunkUniversalForwarder\;FailCA=
Property(S): RemoveSplunkHome = SplunkHome=C:\Program Files\SplunkUniversalForwarder\;KeepSplunkHome=
Property(S): ProgramFiles64Folder = C:\Program Files\
Property(S): TARGETDIR = C:\
Property(S): SourceDir = C:\temp\
Property(S): dirFB744D04EDFDCD8AF58A1449ABBAD45F = C:\Program Files\SplunkUniversalForwarder\etc\apps\introspection_generator_addon\
Property(S): dirB06939592AE1B7F84A5F1802888016F6 = C:\Program Files\SplunkUniversalForwarder\etc\apps\
Property(S): dir1ACCD951EA5C77FB92B36E8AB9382509 = C:\Program Files\SplunkUniversalForwarder\etc\apps\learned\
Property(S): dir302A0E4D0E8A28D4161D5640B55896DC = C:\Program Files\SplunkUniversalForwarder\etc\apps\search\
Property(S): dir060491FD1B1F02D6FE725F0B7611F71E = C:\Program Files\SplunkUniversalForwarder\etc\apps\SplunkUniversalForwarder\
Property(S): dir4B3ADB252806E43AB420F8399AC61D45 = C:\Program Files\SplunkUniversalForwarder\etc\modules\input\
Property(S): dir613AD2632481811E0F84C80F31F4CD56 = C:\Program Files\SplunkUniversalForwarder\etc\modules\
Property(S): dir6EEC3061DFBF56B9D6D2F8CBEC90FE26 = C:\Program Files\SplunkUniversalForwarder\etc\shcluster\
Property(S): dirCFB1DCA36329665F066AABF5013AECA9 = C:\Program Files\SplunkUniversalForwarder\etc\system\
Property(S): Installed = 00:00:00
Property(S): Manufacturer = Splunk, Inc.
Property(S): ProductCode = {E9FDEF0E-18D8-4DC9-A263-1539E24FCCF1}
Property(S): ProductLanguage = 1033
Property(S): ProductName = UniversalForwarder
Property(S): ProductVersion = 6.2.3.264376
Property(S): ARPPRODUCTICON = WixSplunkIcon
Property(S): DefaultUIFont = WixUI_Font_Normal
Property(S): WixUI_Mode = InstallDir
Property(S): ErrorDialog = ErrorDlg
Property(S): SplunkSvcName = SplunkForwarder
Property(S): UIShowTADialog = 0
Property(S): UIRecvIdxValid = 0
Property(S): DoNotInstallDrivers = 1
Property(S): SplunkX86Msi = 0
Property(S): UICustomize = 0
Property(S): AGREETOLICENSE = Yes
Property(S): LAUNCHSPLUNK = 1
Property(S): os_OK = 1
Property(S): MSIRESTARTMANAGERCONTROL = Disable
Property(S): MSIDISABLERMRESTART = 1
Property(S): MSIRMSHUTDOWN = 2
Property(S): LEGACYDRV = 1
Property(S): AdminProperties = 

AGREETOLICENSE;CERTFILE;CERTPASSWORD;CLONEPREP;DEPLOYMENT_SERVER;DoNotInstallDrivers;ENABLEADMON;FAILCA;FORCEINSTALLDRIVERS;KEEPSPLUNKHOME;LAUNCHSPLUNK;LEGACYDRV;LOGON

_PASSWORD;LOGON_USERNAME;MONITOR_PATH;NEWERVERSIONDETECTED;os_OK;OtherSplunkProductsPresent;PERFMON;PREVPRODUCTCODE;RECEIVING_INDEXER;ROOTCACERTFILE;SET_ADMIN_USER;SPL

UNKD_PORT;UIAdmon;UIApplicationLog;UICertFile;UICertPassword;UIConfirmCertPassword;UIConfirmDomainPassword;UIDeplSrv;UIDeplSrvPort;UIDomainAccount;UIDomainPassword;UIF

orwardedEventsLog;UIMonPath;UINoDeplSrvOrIndexer;UIPerfCpu;UIPerfDisk;UIPerfMemory;UIPerfNetstat;UIRecvIdx;UIRecvIdxPort;UIRootCertFile;UISecurityLog;UISetupLog;UISyst

emLog;UIWinTAPath;WINDOWS_TA_LOCATION;WINDOWS_TA_VERSION;WINEVENTLOG_APP_ENABLE;WINEVENTLOG_FWD_ENABLE;WINEVENTLOG_SEC_ENABLE;WINEVENTLOG_SET_ENABLE;WINEVENTLOG_SYS_EN

ABLE
Property(S): SecureCustomProperties = ARPNOMODIFY;NEWERVERSIONDETECTED;PREVPRODUCTCODE
Property(S): MsiHiddenProperties = LOGON_PASSWORD;SetupServiceConfig
Property(S): MsiLogFileLocation = C:\temp\log.txt
Property(S): PackageCode = {D4CB9A66-98C1-43CE-9E20-3AEE5DE423A3}
Property(S): ProductState = 5
Property(S): ProductToBeRegistered = 1
Property(S): CURRENTDIRECTORY = C:\temp
Property(S): CLIENTUILEVEL = 3
Property(S): CLIENTPROCESSID = 1316
Property(S): PRODUCTLANGUAGE = 1033
Property(S): VersionDatabase = 200
Property(S): VersionMsi = 5.00
Property(S): VersionNT = 601
Property(S): VersionNT64 = 601
Property(S): WindowsBuild = 7601
Property(S): ServicePackLevel = 1
Property(S): ServicePackLevelMinor = 0
Property(S): MsiNTProductType = 3
Property(S): WindowsFolder = C:\Windows\
Property(S): WindowsVolume = C:\
Property(S): System64Folder = C:\Windows\system32\
Property(S): SystemFolder = C:\Windows\SysWOW64\
Property(S): RemoteAdminTS = 1
Property(S): TempFolder = C:\Users\hcjkfadm\AppData\Local\Temp\
Property(S): ProgramFilesFolder = C:\Program Files (x86)\
Property(S): CommonFilesFolder = C:\Program Files (x86)\Common Files\
Property(S): CommonFiles64Folder = C:\Program Files\Common Files\
Property(S): AppDataFolder = C:\Users\hcjkfadm\AppData\Roaming\
Property(S): FavoritesFolder = C:\Users\hcjkfadm\Favorites\
Property(S): NetHoodFolder = C:\Users\hcjkfadm\AppData\Roaming\Microsoft\Windows\Network Shortcuts\
Property(S): PersonalFolder = C:\Users\hcjkfadm\Documents\
Property(S): PrintHoodFolder = C:\Users\hcjkfadm\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\
Property(S): RecentFolder = C:\Users\hcjkfadm\AppData\Roaming\Microsoft\Windows\Recent\
Property(S): SendToFolder = C:\Users\hcjkfadm\AppData\Roaming\Microsoft\Windows\SendTo\
Property(S): TemplateFolder = C:\ProgramData\Microsoft\Windows\Templates\
Property(S): CommonAppDataFolder = C:\ProgramData\
Property(S): LocalAppDataFolder = C:\Users\hcjkfadm\AppData\Local\
Property(S): MyPicturesFolder = C:\Users\hcjkfadm\Pictures\
Property(S): AdminToolsFolder = C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\
Property(S): StartupFolder = C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
Property(S): ProgramMenuFolder = C:\ProgramData\Microsoft\Windows\Start Menu\Programs\
Property(S): StartMenuFolder = C:\ProgramData\Microsoft\Windows\Start Menu\
Property(S): DesktopFolder = C:\Users\Public\Desktop\
Property(S): FontsFolder = C:\Windows\Fonts\
Property(S): GPTSupport = 1
Property(S): OLEAdvtSupport = 1
Property(S): ShellAdvtSupport = 1
Property(S): MsiAMD64 = 6
Property(S): Msix64 = 6
Property(S): Intel = 6
Property(S): PhysicalMemory = 2048
Property(S): VirtualMemory = 3423
Property(S): AdminUser = 1
Property(S): MsiTrueAdminUser = 1
Property(S): LogonUser = hcjkfadm
Property(S): UserSID = S-1-5-21-1085031214-1292428093-527237240-1180986
Property(S): UserLanguageID = 1033
Property(S): ComputerName = REDACTED
Property(S): SystemLanguageID = 1033
Property(S): ScreenX = 1024
Property(S): ScreenY = 768
Property(S): CaptionHeight = 19
Property(S): BorderTop = 1
Property(S): BorderSide = 1
Property(S): TextHeight = 16
Property(S): TextInternalLeading = 3
Property(S): ColorBits = 32
Property(S): TTCSupport = 1
Property(S): Time = 9:42:58
Property(S): Date = 6/16/2015
Property(S): MsiNetAssemblySupport = 2.0.50727.5483
Property(S): MsiWin32AssemblySupport = 6.1.7601.17514
Property(S): RedirectedDllSupport = 2
Property(S): MsiRunningElevated = 1
Property(S): Privileged = 1
Property(S): USERNAME = Windows User
Property(S): DATABASE = C:\Windows\Installer\2cb0b28b.msi
Property(S): OriginalDatabase = C:\temp\splunkforwarder-6.2.3-264376-x64-release.msi
Property(S): UILevel = 2
Property(S): ACTION = INSTALL
Property(S): ROOTDRIVE = C:\
Property(S): CostingComplete = 1
Property(S): OutOfDiskSpace = 0
Property(S): OutOfNoRbDiskSpace = 0
Property(S): PrimaryVolumeSpaceAvailable = 0
Property(S): PrimaryVolumeSpaceRequired = 0
Property(S): PrimaryVolumeSpaceRemaining = 0
Property(S): INSTALLLEVEL = 1
Property(S): SourcedirProduct = {E9FDEF0E-18D8-4DC9-A263-1539E24FCCF1}
Property(S): SOURCEDIR = C:\temp\
MSI (s) (9C:C4) [09:42:58:460]: Product: UniversalForwarder -- Configuration failed.

MSI (s) (9C:C4) [09:42:58:460]: Windows Installer reconfigured the product. Product Name: UniversalForwarder. Product Version: 6.2.3.264376. Product Language: 1033. 

Manufacturer: Splunk, Inc.. Reconfiguration success or error status: 1603.

=== Logging stopped: 6/16/2015  9:42:58 ===
0 Karma
Reply

fdi01
Motivator
‎06-16-2015 07:14 AM

see this link:
http://docs.splunk.com/Documentation/Splunk/6.2.3/Forwarding/DeployaWindowsdfmanually

Reply
Get Updates on the Splunk Community!

Cloud Platform | Customer Change Announcement: Email Notification Will Be Available ...

The Notification Team is migrating our email service provider since, currently there’s no support for email ...

Save the Date: GovSummit Returns Wednesday, December 11th!

Hey there, Splunk Community! Exciting news: Splunk’s GovSummit 2024 is returning to Washington, D.C. on ...

What’s New With SOAR 6.3

Register here for our Security Edition Tech Talk on Wednesday, October 2 , 2024  |  11AM–12PM PTTune in to see ...