Getting Data In

Why does installing a forwarder using msiexec keeps failing?

sylim_splunk
Splunk Employee
Splunk Employee

We are installing a forwarder to new workstations using the command below;

*msiexec /i "splunkforwarder-7.0.0-c8a78efdd40f-x64-release.msi" /qn /l*v %windir%\temp\INSTALL_Splunk.log AGREETOLICENSE=Yes LOGON_USERNAME="domain\Splunk" LOGON_PASSWORD="mypassword" DEPLOYMENT_SERVER="192.168.0.1:8089" WINEVENTLOG_APP_ENABLE=1  WINEVENTLOG_SYS_ENABLE=1 SPLUNKPASSWORD=splunkpassword*

The error message in msi log is like below;

*MSI (s) (50:5C) [12:54:19:999]: Executing op: CustomActionSchedule(Action=RollbackGroupAndRightsFromReg,ActionType=3329,Source=BinaryData,Target=RemoveGroupAndRightsFromRegCA,CustomActionData=SplunkSvcName=SplunkForwarder;FailCA=)
MSI (s) (50:5C) [12:54:19:999]: Executing op: ActionStart(Name=SaveGroupAndRightsToRegistry,,)
MSI (s) (50:5C) [12:54:19:999]: Executing op: CustomActionSchedule(Action=SaveGroupAndRightsToRegistry,ActionType=3073,Source=BinaryData,Target=SaveGroupAndRightsToRegistryCA,CustomActionData=SplunkSvcName=SplunkForwarder;UserName=ODOT\SplunkUF;SetAdminUser=1;FailCA=)
MSI (s) (50:20) [12:54:19:999]: Invoking remote custom action. DLL: C:\windows\Installer\MSI6294.tmp, Entrypoint: SaveGroupAndRightsToRegistryCA
SaveGroupAndRightsToRegistry: Warning: Invalid property ignored: FailCA=.
SaveGroupAndRightsToRegistry: Error: cannot SaveGroupAndRightsToRegistry.
SaveGroupAndRightsToRegistry: Error 0x80004005: Cannot save rights to registry.
CustomAction SaveGroupAndRightsToRegistry returned actual error code 1603 (note this may not be 100% accurate if translation happened inside sandbox)*
0 Karma
1 Solution

sylim_splunk
Splunk Employee
Splunk Employee

It didn't work even after stopping the anti-virus scanner on workstations but we were able to work out a simpler command that worked.

msiexec /i "splunkforwarder-7.0.0-c8a78efdd40f-x64-release.msi" AGREETOLICENSE=1 DEPLOYMENT_SERVER="192.168.0.1:8089" SPLUNKPASSWORD=splunkpassword /qn /l*v %windir%\ccm\logs\INSTALL_Splunk.log

And from there we were able to push configurations using deployment server.

If you are not able to work it out even after that, you can contact splunk support with msi log and procmon data generated by following steps below;

=== Set Procmon to collect events for all processes during the repro : ====

1 Launch Procmon, this should immediately bring up the Process Monitor Filter dialogue
2 If the Process Monitor Filter dialogue is not showing, launch it by going to Filter | Filter...
3 Reset the list of filters
4 OK the dialogue
5 Ensure that File | Capture Events is ticked
6 Reproduce whatever issue it is that we are interested in;
Use /l*vx for msiexec instead of /l*v) so that it puts debugging logs.

7 Go to File | Save...
8 Under "Events to save:" ensure that "All events" is selected
9 Under "Format:" ensure that "Native Process Monitor Format (PML)" is selected
10 Choose appropriate Path:

11 OK

View solution in original post

0 Karma

sylim_splunk
Splunk Employee
Splunk Employee

It didn't work even after stopping the anti-virus scanner on workstations but we were able to work out a simpler command that worked.

msiexec /i "splunkforwarder-7.0.0-c8a78efdd40f-x64-release.msi" AGREETOLICENSE=1 DEPLOYMENT_SERVER="192.168.0.1:8089" SPLUNKPASSWORD=splunkpassword /qn /l*v %windir%\ccm\logs\INSTALL_Splunk.log

And from there we were able to push configurations using deployment server.

If you are not able to work it out even after that, you can contact splunk support with msi log and procmon data generated by following steps below;

=== Set Procmon to collect events for all processes during the repro : ====

1 Launch Procmon, this should immediately bring up the Process Monitor Filter dialogue
2 If the Process Monitor Filter dialogue is not showing, launch it by going to Filter | Filter...
3 Reset the list of filters
4 OK the dialogue
5 Ensure that File | Capture Events is ticked
6 Reproduce whatever issue it is that we are interested in;
Use /l*vx for msiexec instead of /l*v) so that it puts debugging logs.

7 Go to File | Save...
8 Under "Events to save:" ensure that "All events" is selected
9 Under "Format:" ensure that "Native Process Monitor Format (PML)" is selected
10 Choose appropriate Path:

11 OK

0 Karma

sylim_splunk
Splunk Employee
Splunk Employee

1.Open Command prompt as Administrator
2. run "sfc /SCANNOW" (Without quotes)
3. On a safe side, restart the system
4. Try installing Splunk.

0 Karma
Get Updates on the Splunk Community!

Check out This Month’s Brand new Splunk Lantern Articles

Splunk Lantern is a customer success center providing advice from Splunk experts on valuable data insights, ...

Happy CX Day to our Community Superheroes!

Happy 10th Birthday CX Day!What is CX Day? It’s a global celebration recognizing innovation and success in the ...

Routing Data to Different Splunk Indexes in the OpenTelemetry Collector

This blog post is part of an ongoing series on OpenTelemetry. The OpenTelemetry project is the second largest ...