Getting Data In

Why does installing a forwarder using msiexec keeps failing?

sylim_splunk
Splunk Employee
Splunk Employee

We are installing a forwarder to new workstations using the command below;

*msiexec /i "splunkforwarder-7.0.0-c8a78efdd40f-x64-release.msi" /qn /l*v %windir%\temp\INSTALL_Splunk.log AGREETOLICENSE=Yes LOGON_USERNAME="domain\Splunk" LOGON_PASSWORD="mypassword" DEPLOYMENT_SERVER="192.168.0.1:8089" WINEVENTLOG_APP_ENABLE=1  WINEVENTLOG_SYS_ENABLE=1 SPLUNKPASSWORD=splunkpassword*

The error message in msi log is like below;

*MSI (s) (50:5C) [12:54:19:999]: Executing op: CustomActionSchedule(Action=RollbackGroupAndRightsFromReg,ActionType=3329,Source=BinaryData,Target=RemoveGroupAndRightsFromRegCA,CustomActionData=SplunkSvcName=SplunkForwarder;FailCA=)
MSI (s) (50:5C) [12:54:19:999]: Executing op: ActionStart(Name=SaveGroupAndRightsToRegistry,,)
MSI (s) (50:5C) [12:54:19:999]: Executing op: CustomActionSchedule(Action=SaveGroupAndRightsToRegistry,ActionType=3073,Source=BinaryData,Target=SaveGroupAndRightsToRegistryCA,CustomActionData=SplunkSvcName=SplunkForwarder;UserName=ODOT\SplunkUF;SetAdminUser=1;FailCA=)
MSI (s) (50:20) [12:54:19:999]: Invoking remote custom action. DLL: C:\windows\Installer\MSI6294.tmp, Entrypoint: SaveGroupAndRightsToRegistryCA
SaveGroupAndRightsToRegistry: Warning: Invalid property ignored: FailCA=.
SaveGroupAndRightsToRegistry: Error: cannot SaveGroupAndRightsToRegistry.
SaveGroupAndRightsToRegistry: Error 0x80004005: Cannot save rights to registry.
CustomAction SaveGroupAndRightsToRegistry returned actual error code 1603 (note this may not be 100% accurate if translation happened inside sandbox)*
0 Karma
1 Solution

sylim_splunk
Splunk Employee
Splunk Employee

It didn't work even after stopping the anti-virus scanner on workstations but we were able to work out a simpler command that worked.

msiexec /i "splunkforwarder-7.0.0-c8a78efdd40f-x64-release.msi" AGREETOLICENSE=1 DEPLOYMENT_SERVER="192.168.0.1:8089" SPLUNKPASSWORD=splunkpassword /qn /l*v %windir%\ccm\logs\INSTALL_Splunk.log

And from there we were able to push configurations using deployment server.

If you are not able to work it out even after that, you can contact splunk support with msi log and procmon data generated by following steps below;

=== Set Procmon to collect events for all processes during the repro : ====

1 Launch Procmon, this should immediately bring up the Process Monitor Filter dialogue
2 If the Process Monitor Filter dialogue is not showing, launch it by going to Filter | Filter...
3 Reset the list of filters
4 OK the dialogue
5 Ensure that File | Capture Events is ticked
6 Reproduce whatever issue it is that we are interested in;
Use /l*vx for msiexec instead of /l*v) so that it puts debugging logs.

7 Go to File | Save...
8 Under "Events to save:" ensure that "All events" is selected
9 Under "Format:" ensure that "Native Process Monitor Format (PML)" is selected
10 Choose appropriate Path:

11 OK

View solution in original post

0 Karma

sylim_splunk
Splunk Employee
Splunk Employee

It didn't work even after stopping the anti-virus scanner on workstations but we were able to work out a simpler command that worked.

msiexec /i "splunkforwarder-7.0.0-c8a78efdd40f-x64-release.msi" AGREETOLICENSE=1 DEPLOYMENT_SERVER="192.168.0.1:8089" SPLUNKPASSWORD=splunkpassword /qn /l*v %windir%\ccm\logs\INSTALL_Splunk.log

And from there we were able to push configurations using deployment server.

If you are not able to work it out even after that, you can contact splunk support with msi log and procmon data generated by following steps below;

=== Set Procmon to collect events for all processes during the repro : ====

1 Launch Procmon, this should immediately bring up the Process Monitor Filter dialogue
2 If the Process Monitor Filter dialogue is not showing, launch it by going to Filter | Filter...
3 Reset the list of filters
4 OK the dialogue
5 Ensure that File | Capture Events is ticked
6 Reproduce whatever issue it is that we are interested in;
Use /l*vx for msiexec instead of /l*v) so that it puts debugging logs.

7 Go to File | Save...
8 Under "Events to save:" ensure that "All events" is selected
9 Under "Format:" ensure that "Native Process Monitor Format (PML)" is selected
10 Choose appropriate Path:

11 OK

0 Karma

sylim_splunk
Splunk Employee
Splunk Employee

1.Open Command prompt as Administrator
2. run "sfc /SCANNOW" (Without quotes)
3. On a safe side, restart the system
4. Try installing Splunk.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...