Getting Data In

Why does installing a forwarder using msiexec keeps failing?

sylim_splunk
Splunk Employee
Splunk Employee

We are installing a forwarder to new workstations using the command below;

*msiexec /i "splunkforwarder-7.0.0-c8a78efdd40f-x64-release.msi" /qn /l*v %windir%\temp\INSTALL_Splunk.log AGREETOLICENSE=Yes LOGON_USERNAME="domain\Splunk" LOGON_PASSWORD="mypassword" DEPLOYMENT_SERVER="192.168.0.1:8089" WINEVENTLOG_APP_ENABLE=1  WINEVENTLOG_SYS_ENABLE=1 SPLUNKPASSWORD=splunkpassword*

The error message in msi log is like below;

*MSI (s) (50:5C) [12:54:19:999]: Executing op: CustomActionSchedule(Action=RollbackGroupAndRightsFromReg,ActionType=3329,Source=BinaryData,Target=RemoveGroupAndRightsFromRegCA,CustomActionData=SplunkSvcName=SplunkForwarder;FailCA=)
MSI (s) (50:5C) [12:54:19:999]: Executing op: ActionStart(Name=SaveGroupAndRightsToRegistry,,)
MSI (s) (50:5C) [12:54:19:999]: Executing op: CustomActionSchedule(Action=SaveGroupAndRightsToRegistry,ActionType=3073,Source=BinaryData,Target=SaveGroupAndRightsToRegistryCA,CustomActionData=SplunkSvcName=SplunkForwarder;UserName=ODOT\SplunkUF;SetAdminUser=1;FailCA=)
MSI (s) (50:20) [12:54:19:999]: Invoking remote custom action. DLL: C:\windows\Installer\MSI6294.tmp, Entrypoint: SaveGroupAndRightsToRegistryCA
SaveGroupAndRightsToRegistry: Warning: Invalid property ignored: FailCA=.
SaveGroupAndRightsToRegistry: Error: cannot SaveGroupAndRightsToRegistry.
SaveGroupAndRightsToRegistry: Error 0x80004005: Cannot save rights to registry.
CustomAction SaveGroupAndRightsToRegistry returned actual error code 1603 (note this may not be 100% accurate if translation happened inside sandbox)*
0 Karma
1 Solution

sylim_splunk
Splunk Employee
Splunk Employee

It didn't work even after stopping the anti-virus scanner on workstations but we were able to work out a simpler command that worked.

msiexec /i "splunkforwarder-7.0.0-c8a78efdd40f-x64-release.msi" AGREETOLICENSE=1 DEPLOYMENT_SERVER="192.168.0.1:8089" SPLUNKPASSWORD=splunkpassword /qn /l*v %windir%\ccm\logs\INSTALL_Splunk.log

And from there we were able to push configurations using deployment server.

If you are not able to work it out even after that, you can contact splunk support with msi log and procmon data generated by following steps below;

=== Set Procmon to collect events for all processes during the repro : ====

1 Launch Procmon, this should immediately bring up the Process Monitor Filter dialogue
2 If the Process Monitor Filter dialogue is not showing, launch it by going to Filter | Filter...
3 Reset the list of filters
4 OK the dialogue
5 Ensure that File | Capture Events is ticked
6 Reproduce whatever issue it is that we are interested in;
Use /l*vx for msiexec instead of /l*v) so that it puts debugging logs.

7 Go to File | Save...
8 Under "Events to save:" ensure that "All events" is selected
9 Under "Format:" ensure that "Native Process Monitor Format (PML)" is selected
10 Choose appropriate Path:

11 OK

View solution in original post

0 Karma

sylim_splunk
Splunk Employee
Splunk Employee

It didn't work even after stopping the anti-virus scanner on workstations but we were able to work out a simpler command that worked.

msiexec /i "splunkforwarder-7.0.0-c8a78efdd40f-x64-release.msi" AGREETOLICENSE=1 DEPLOYMENT_SERVER="192.168.0.1:8089" SPLUNKPASSWORD=splunkpassword /qn /l*v %windir%\ccm\logs\INSTALL_Splunk.log

And from there we were able to push configurations using deployment server.

If you are not able to work it out even after that, you can contact splunk support with msi log and procmon data generated by following steps below;

=== Set Procmon to collect events for all processes during the repro : ====

1 Launch Procmon, this should immediately bring up the Process Monitor Filter dialogue
2 If the Process Monitor Filter dialogue is not showing, launch it by going to Filter | Filter...
3 Reset the list of filters
4 OK the dialogue
5 Ensure that File | Capture Events is ticked
6 Reproduce whatever issue it is that we are interested in;
Use /l*vx for msiexec instead of /l*v) so that it puts debugging logs.

7 Go to File | Save...
8 Under "Events to save:" ensure that "All events" is selected
9 Under "Format:" ensure that "Native Process Monitor Format (PML)" is selected
10 Choose appropriate Path:

11 OK

0 Karma

sylim_splunk
Splunk Employee
Splunk Employee

1.Open Command prompt as Administrator
2. run "sfc /SCANNOW" (Without quotes)
3. On a safe side, restart the system
4. Try installing Splunk.

0 Karma
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Get Updates on the Splunk Community!

.conf25 Global Broadcast: Don’t Miss a Moment

Hello Splunkers, .conf25 is only a click away.  Not able to make it to .conf25 in person? No worries, you can ...

Observe and Secure All Apps with Splunk

 Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What's New in Splunk Observability - August 2025

What's New We are excited to announce the latest enhancements to Splunk Observability Cloud as well as what is ...