Installation

Powershell Universal Forwarder Installation not working?

jmancyber
Explorer

I'm trying to test the installation of a uf on my windows device for later deployment for work, but the script just doesn't seem to take into account the flags I specify. 

msiexec.exe /i "splunkforwarder.msi" AGREETOLICENSE=yes SPLUNKUSERNAME=Admin SPLUNKPASSWORD=Password /qn

If I take out the /qn it will just open the normal UF install wizard.

I'm not sure what's going on. I feel as though everything is correct.

Labels (3)
0 Karma
1 Solution

jmancyber
Explorer

Hey @jho-splunk,

Apologies for the late response, got caught up in work. I figured out that the file I had been trying to run was being automatically protected which was fixed by simply going into the properties and unchecking a box. From there everything was fixed I appreciate the help as the info found from looking into the logs helped tremendously with weeding out the other issues!

Thank you,

-J

View solution in original post

0 Karma

jho-splunk
Splunk Employee
Splunk Employee

Hi @jmancyber,

Have you tried enabling logging (something like: /l*vx msiexec.log)?  Does it acknowledge those parameters as being set?  What's the last thing it does just before it fails (search for "return value 3").

Cheers,

 

 - Jo.

 

0 Karma

jmancyber
Explorer

Hey @jho-splunk,

I enabled logging and saw there was an error with my password complexity and I needed to run as admin, upon doing so it still doesn't seem to work.

jmancyber_0-1685020996773.png

 

0 Karma

jho-splunk
Splunk Employee
Splunk Employee

Hi @jmancyber,

Oh dear.  Is this an upgrade?  Does this file exist: C:\IntunePacker\SourceSplunk\splunkforwarder.msi?

Cheers,

 

 - Jo.

0 Karma

jmancyber
Explorer

Oh nope it's  a completely fresh install, just testing for future deployment and that was the folder I have it in. The msi is a file straight off of the splunk download page and I am running straight from file the msi is found in.

0 Karma

jho-splunk
Splunk Employee
Splunk Employee

Hi @jmancyber,

Well, it looks like msiexec.exe doesn't think it exists.  Are you maybe assuming something about the current working directory that may not be true?

Cheers,

 

 - Jo.

 

0 Karma

jmancyber
Explorer

Hey @jho-splunk,

Apologies for the late response, got caught up in work. I figured out that the file I had been trying to run was being automatically protected which was fixed by simply going into the properties and unchecking a box. From there everything was fixed I appreciate the help as the info found from looking into the logs helped tremendously with weeding out the other issues!

Thank you,

-J

0 Karma

jho-splunk
Splunk Employee
Splunk Employee

Hey @jmancyber,

Oh, that's a great find.  Thanks for reporting back, it's always helpful!

Cheers,

 

 - Jo.

 

0 Karma

jmancyber
Explorer

Hey @jho-splunk,

So upon looking at those logs I saw that I had to run as admin and my password complexity needed to be more robust. After fixing this it still doesn't seem to work and I get the following after the command runs(deleted most of the cached product context logs for character limits sake):

=== Verbose logging started: 5/25/2023 9:15:43 Build type: SHIP UNICODE 5.00.10011.00 Calling process: C:\Windows\system32\msiexec.exe ===
MSI (c) (C0:90) [09:15:43:676]: Resetting cached policy values
MSI (c) (C0:90) [09:15:43:676]: Machine policy value 'Debug' is 0
MSI (c) (C0:90) [09:15:43:676]: ******* RunEngine:
******* Product: splunkforwarder.msi
******* Action:
******* CommandLine: **********
MSI (c) (C0:90) [09:15:43:676]: Client-side and UI is none or basic: Running entire install on the server.
MSI (c) (C0:90) [09:15:43:676]: Grabbed execution mutex.
MSI (c) (C0:90) [09:15:43:692]: Cloaking enabled.
MSI (c) (C0:90) [09:15:43:692]: Attempting to enable all disabled privileges before calling Install on Server
MSI (c) (C0:90) [09:15:43:692]: Incrementing counter to disable shutdown. Counter after increment: 0
MSI (s) (1C:58) [09:15:43:692]: Running installation inside multi-package transaction C:\IntunePacker\SourceSplunk\splunkforwarder.msi
MSI (s) (1C:58) [09:15:43:692]: Grabbed execution mutex.
MSI (s) (1C:14) [09:15:43:692]: Resetting cached policy values
MSI (s) (1C:14) [09:15:43:692]: Machine policy value 'Debug' is 0
MSI (s) (1C:14) [09:15:43:692]: ******* RunEngine:
******* Product: C:\IntunePacker\SourceSplunk\splunkforwarder.msi
******* Action:
******* CommandLine: **********
MSI (s) (1C:14) [09:15:43:708]: Using cached product context: machine assigned for product: F60730A4A66673047777F5728467D401
MSI (s) (1C:14) [09:15:43:708]: Setting cached product context: machine assigned for product: FC5DAE63FE44FCF4B81E9DC684537D4A
MSI (s) (1C:14) [09:15:43:708]: Using cached product context: machine assigned for product: FC5DAE63FE44FCF4B81E9DC684537D4A
MSI (s) (1C:14) [09:15:43:708]: Setting cached product context: machine assigned for product: FD59EB73A00F35141B2F80DB1735642E
MSI (s) (1C:14) [09:15:43:708]: Using cached product context: machine assigned for product: FD59EB73A00F35141B2F80DB1735642E
MSI (s) (1C:14) [09:15:43:708]: Setting cached product context: machine assigned for product: FE2CADEB2ABD52B458A7D73F58AF46E5
MSI (s) (1C:14) [09:15:43:708]: Using cached product context: machine assigned for product: FE2CADEB2ABD52B458A7D73F58AF46E5
MSI (s) (1C:14) [09:15:43:708]: Note: 1: 2203 2: C:\WINDOWS\Installer\inprogressinstallinfo.ipi 3: -2147287038
MSI (s) (1C:14) [09:15:43:708]: SRSetRestorePoint skipped for this transaction.
MSI (s) (1C:14) [09:15:43:708]: Note: 1: 1309 2: 5 3: C:\IntunePacker\SourceSplunk\splunkforwarder.msi
MSI (s) (1C:14) [09:15:43:708]: MainEngineThread is returning 110
MSI (s) (1C:58) [09:15:43:723]: No System Restore sequence number for this installation.
The system cannot open the device or file specified.
MSI (s) (1C:58) [09:15:43:723]: User policy value 'DisableRollback' is 0
MSI (s) (1C:58) [09:15:43:723]: Machine policy value 'DisableRollback' is 0
MSI (s) (1C:58) [09:15:43:723]: Incrementing counter to disable shutdown. Counter after increment: 0
MSI (s) (1C:58) [09:15:43:723]: Note: 1: 1402 2: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\Rollback\Scripts 3: 2
MSI (s) (1C:58) [09:15:43:723]: Note: 1: 1402 2: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\Rollback\Scripts 3: 2
MSI (s) (1C:58) [09:15:43:723]: Decrementing counter to disable shutdown. If counter >= 0, shutdown will be denied. Counter after decrement: -1
MSI (c) (C0:90) [09:15:43:723]: Decrementing counter to disable shutdown. If counter >= 0, shutdown will be denied. Counter after decrement: -1
MSI (c) (C0:90) [09:15:43:723]: MainEngineThread is returning 110
=== Verbose logging stopped: 5/25/2023 9:15:43 ===

MSI (s) (1C:58) [09:15:43:723]: Machine policy value 'DisableRollback' is 0
MSI (s) (1C:58) [09:15:43:723]: Incrementing counter to disable shutdown. Counter after increment: 0
MSI (s) (1C:58) [09:15:43:723]: Note: 1: 1402 2: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\Rollback\Scripts 3: 2
MSI (s) (1C:58) [09:15:43:723]: Note: 1: 1402 2: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\Rollback\Scripts 3: 2
MSI (s) (1C:58) [09:15:43:723]: Decrementing counter to disable shutdown. If counter >= 0, shutdown will be denied. Counter after decrement: -1
MSI (c) (C0:90) [09:15:43:723]: Decrementing counter to disable shutdown. If counter >= 0, shutdown will be denied. Counter after decrement: -1
MSI (c) (C0:90) [09:15:43:723]: MainEngineThread is returning 110
=== Verbose logging stopped: 5/25/2023 9:15:43 ===

 

0 Karma

jmancyber
Explorer

Hey @jho-splunk,

So as I was looking at the logs, I saw there was an error with both password complexity and I wasn't running from an admin powershell. Here is what I now get after the large  block of "cached product context" logs

MSI (s) (54:10) [19:15:44:938]: Note: 1: 2203 2: C:\WINDOWS\Installer\inprogressinstallinfo.ipi 3: -2147287038
MSI (s) (54:10) [19:15:44:938]: SRSetRestorePoint skipped for this transaction.
MSI (s) (54:10) [19:15:44:947]: Note: 1: 1309 2: 5 3: C:\IntunePacker\SourceSplunk\splunkforwarder.msi
MSI (s) (54:10) [19:15:44:947]: MainEngineThread is returning 110
MSI (s) (54:20) [19:15:44:947]: No System Restore sequence number for this installation.
The system cannot open the device or file specified.
MSI (s) (54:20) [19:15:44:947]: User policy value 'DisableRollback' is 0
MSI (s) (54:20) [19:15:44:947]: Machine policy value 'DisableRollback' is 0
MSI (s) (54:20) [19:15:44:947]: Incrementing counter to disable shutdown. Counter after increment: 0
MSI (s) (54:20) [19:15:44:947]: Note: 1: 1402 2: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\Rollback\Scripts 3: 2
MSI (s) (54:20) [19:15:44:947]: Note: 1: 1402 2: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\Rollback\Scripts 3: 2
MSI (s) (54:20) [19:15:44:947]: Decrementing counter to disable shutdown. If counter >= 0, shutdown will be denied. Counter after decrement: -1
MSI (c) (4C:6C) [19:15:44:947]: Decrementing counter to disable shutdown. If counter >= 0, shutdown will be denied. Counter after decrement: -1
MSI (c) (4C:6C) [19:15:44:947]: MainEngineThread is returning 110
=== Verbose logging stopped: 5/24/2023 19:15:44 ===

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...