Getting Data In

Why does attempting to install the Universal Forwarder on Windows via CLI fail?

mdsnmss
SplunkTrust
SplunkTrust

I'm trying to perform a simple command line install for Windows Universal Forwarder (UF) and can't seem to get the install to work. All I want is a basic quiet install that points the UF to our deployment server in order to receive the rest of the configurations. The command line I have used is:

msiexec.exe /i splunkforwarder-6.4.2-00f5bb3fa822-x64-release.msi AGREETOLICENSE="YES" DEPLOYMENT_SERVER=":8089" /quiet

The command executes but completes immediately. It was run as admin on the system. I also set logging for the command and received the following:

=== Verbose logging started: 1/17/2017  11:00:07  Build type: SHIP UNICODE 5.00.7601.00  Calling process: C:\Windows\system32\msiexec.exe ===

MSI (c) (70:18) [11:00:07:414]: Resetting cached policy values

MSI (c) (70:18) [11:00:07:414]: Machine policy value 'Debug' is 0

MSI (c) (70:18) [11:00:07:414]: ------- RunEngine:
           ------- Product: C:/Users/-user-/Desktop/splunkforwarder-6.4.2-00f5bb3fa822-x64-release.msi
           ------- Action: 
           ------- CommandLine: -------------

MSI (c) (70:18) [11:00:07:414]: Client-side and UI is none or basic: Running entire install on the server.

MSI (c) (70:18) [11:00:07:414]: Grabbed execution mutex.

MSI (c) (70:18) [11:00:07:445]: Cloaking enabled.

MSI (c) (70:18) [11:00:07:445]: Attempting to enable all disabled privileges before calling Install on Server

MSI (c) (70:18) [11:00:07:460]: Incrementing counter to disable shutdown. Counter after increment: 0

MSI (s) (FC:A8) [11:00:07:460]: Running installation inside multi-package transaction C:/Users//Desktop/splunkforwarder-6.4.2-00f5bb3fa822-x64-release.msi

MSI (s) (FC:A8) [11:00:07:460]: Grabbed execution mutex.

MSI (s) (FC:20) [11:00:07:460]: Resetting cached policy values

MSI (s) (FC:20) [11:00:07:460]: Machine policy value 'Debug' is 0

MSI (s) (FC:20) [11:00:07:460]: ------- RunEngine:
           ------- Product: C:/Users/-user-/Desktop/splunkforwarder-6.4.2-00f5bb3fa822-x64-release.msi
           ------- Action: 
           ------- CommandLine: ------------

MSI (s) (FC:20) [11:00:07:460]: Machine policy value 'DisableUserInstalls' is 0

MSI (s) (FC:20) [11:00:07:476]: SRSetRestorePoint skipped for this transaction.

MSI (s) (FC:20) [11:00:07:476]: Note: 1: 1314 2: /Users/-user-/Desktop/splunkforwarder-6.4.2-00f5bb3fa822-x64-release.msi 

MSI (s) (FC:20) [11:00:07:476]: MainEngineThread is returning 2

MSI (s) (FC:A8) [11:00:07:476]: No System Restore sequence number for this installation.

MSI (s) (FC:A8) [11:00:07:476]: User policy value 'DisableRollback' is 0

MSI (s) (FC:A8) [11:00:07:476]: Machine policy value 'DisableRollback' is 0

MSI (s) (FC:A8) [11:00:07:476]: Incrementing counter to disable shutdown. Counter after increment: 0

MSI (s) (FC:A8) [11:00:07:476]: Note: 1: 1402 2: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\Rollback\Scripts 3: 2 

MSI (s) (FC:A8) [11:00:07:492]: Note: 1: 1402 2: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\Rollback\Scripts 3: 2 

MSI (s) (FC:A8) [11:00:07:492]: Note: 1: 1402 2: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\InProgress 3: 2 

MSI (s) (FC:A8) [11:00:07:492]: Note: 1: 1402 2: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\InProgress 3: 2 

MSI (s) (FC:A8) [11:00:07:492]: Decrementing counter to disable shutdown. If counter >= 0, shutdown will be denied.  Counter after decrement: -1

MSI (s) (FC:A8) [11:00:07:492]: Restoring environment variables

MSI (c) (70:18) [11:00:07:492]: Decrementing counter to disable shutdown. If counter >= 0, shutdown will be denied.  Counter after decrement: -1

MSI (c) (70:18) [11:00:07:492]: MainEngineThread is returning 2
=== Verbose logging stopped: 1/17/2017  11:00:07 ===

I can install the UF fine without using the command line but I would like to include this in a package to perform the install remotely and quietly. Any help is greatly appreciated.

0 Karma
1 Solution

skalliger
Motivator

Try it like this:

msiexec.exe /i splunkforwarder-6.4.2-00f5bb3fa822-x64-release.msi INSTALLDIR="PATH\SplunkUniversalForwarder" AGREETOLICENSE=yes DEPLOYMENT_SERVER="YourHost:8089" /quiet

Note the missing " " after AGREETOLICENSE.

View solution in original post

0 Karma

skalliger
Motivator

Try it like this:

msiexec.exe /i splunkforwarder-6.4.2-00f5bb3fa822-x64-release.msi INSTALLDIR="PATH\SplunkUniversalForwarder" AGREETOLICENSE=yes DEPLOYMENT_SERVER="YourHost:8089" /quiet

Note the missing " " after AGREETOLICENSE.

0 Karma

mdsnmss
SplunkTrust
SplunkTrust

No luck. I've tried it without quotes on that as well as with them on and off the DEPLOYMENT_SERVER option. Trying to specify INSTALLDIR the command will not execute. It pops up the msiexec options. Leaving out that option should just give us default anyway.

0 Karma

mdsnmss
SplunkTrust
SplunkTrust

Looks like I messed up on some paths and file locations as well as messed up the quotes. Seems to be working now. Thanks for your help!

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...