Installation

Splunk Agent installation failed 7.3.3

sood31
Observer

Splunk installation does not work on one server and below are logs, could you pls point to right direction, where to look at and why this is failing.

We have already tried clean boot/Install, Removed AV and any third party security softwares to see that helps or not but it does not. Reboot system multiple times but no luck, Removed Encryption no luck, we are running out of ideas, if you could help, that would be great!

 

 

MSI (s) (4C:E4) [09:35:45:084]: Executing op: FileCopy(SourceName=ssmotatu.con|web.conf,SourceCabKey=filFFD0A48B92D564AD2586EEDC3AF570B4,DestName=web.conf,Attributes=512,FileSize=83,PerTick=65536,,VerifyMedia=1,,,,,CheckCRC=0,,,InstallMode=58982400,HashOptions=0,HashPart1=493118281,HashPart2=-1532812437,HashPart3=-875473769,HashPart4=68786463,,)
MSI (s) (4C:E4) [09:35:45:085]: File: C:\Program Files\BMW_SplunkUniversalForwarder\etc\apps\SplunkUniversalForwarder\default\web.conf; To be installed; Won't patch; No existing file
MSI (s) (4C:E4) [09:35:45:085]: Source for file 'filFFD0A48B92D564AD2586EEDC3AF570B4' is compressed
MSI (s) (4C:E4) [09:35:45:086]: Executing op: CacheSizeFlush(,)
MSI (s) (4C:E4) [09:35:45:086]: Executing op: ActionStart(Name=RollbackRegmonDrv,,)
MSI (s) (4C:E4) [09:35:45:092]: Executing op: CustomActionSchedule(Action=RollbackRegmonDrv,ActionType=3329,Source=BinaryData,Target=UninstallRegmonDrvCA,CustomActionData=SplunkHome=C:\Program Files\BMW_SplunkUniversalForwarder\;FailCA=)
MSI (s) (4C:E4) [09:35:45:097]: Executing op: ActionStart(Name=InstallRegmonDrv,,)
MSI (s) (4C:E4) [09:35:45:098]: Executing op: CustomActionSchedule(Action=InstallRegmonDrv,ActionType=3073,Source=BinaryData,Target=InstallRegmonDrvCA,CustomActionData=SplunkHome=C:\Program Files\BMW_SplunkUniversalForwarder\;LEGACYDRV=1;FailCA=)
MSI (s) (4C:F4) [09:35:45:103]: Invoking remote custom action. DLL: C:\Windows\Installer\MSIAC28.tmp, Entrypoint: InstallRegmonDrvCA
MSI (s) (4C:58) [09:35:45:104]: Generating random cookie.
MSI (s) (4C:58) [09:35:45:107]: Created Custom Action Server with PID 11196 (0x2BBC).
MSI (s) (4C:08) [09:35:45:127]: Running as a service.
MSI (s) (4C:08) [09:35:45:130]: Hello, I'm your 64bit Elevated Non-remapped custom action server.
InstallRegmonDrv: Warning: Invalid property ignored: FailCA=.
MSI (s) (4C:E4) [09:35:45:234]: Executing op: ActionStart(Name=RollbackNetmonDrv,,)
InstallRegmonDrv: Info: Driver inf file: C:\Program Files\BMW_SplunkUniversalForwarder\bin\splunkdrv.inf.
MSI (s) (4C:E4) [09:35:45:235]: Executing op: CustomActionSchedule(Action=RollbackNetmonDrv,ActionType=3329,Source=BinaryData,Target=UninstallNetmonDrvCA,CustomActionData=SplunkHome=C:\Program Files\BMW_SplunkUniversalForwarder\;FailCA=)
MSI (s) (4C:E4) [09:35:45:241]: Executing op: ActionStart(Name=InstallNetmonDrv,,)
MSI (s) (4C:E4) [09:35:45:242]: Executing op: CustomActionSchedule(Action=InstallNetmonDrv,ActionType=3073,Source=BinaryData,Target=InstallNetmonDrvCA,CustomActionData=SplunkHome=C:\Program Files\BMW_SplunkUniversalForwarder\;LEGACYDRV=1;FailCA=)
MSI (s) (4C:30) [09:35:45:248]: Invoking remote custom action. DLL: C:\Windows\Installer\MSIACB6.tmp, Entrypoint: InstallNetmonDrvCA
InstallNetmonDrv: Warning: Invalid property ignored: FailCA=.
MSI (s) (4C:E4) [09:35:45:346]: Executing op: ActionStart(Name=RollbackNohandleDrv,,)
InstallNetmonDrv: Info: Driver inf file: C:\Program Files\BMW_SplunkUniversalForwarder\bin\splknetdrv.inf.
MSI (s) (4C:E4) [09:35:45:347]: Executing op: CustomActionSchedule(Action=RollbackNohandleDrv,ActionType=3329,Source=BinaryData,Target=UninstallNohandleDrvCA,CustomActionData=SplunkHome=C:\Program Files\BMW_SplunkUniversalForwarder\;FailCA=)
MSI (s) (4C:E4) [09:35:45:352]: Executing op: ActionStart(Name=InstallNohandleDrv,,)
MSI (s) (4C:E4) [09:35:45:353]: Executing op: CustomActionSchedule(Action=InstallNohandleDrv,ActionType=3073,Source=BinaryData,Target=InstallNohandleDrvCA,CustomActionData=SplunkHome=C:\Program Files\BMW_SplunkUniversalForwarder\;LEGACYDRV=1;FailCA=)
MSI (s) (4C:D8) [09:35:45:359]: Invoking remote custom action. DLL: C:\Windows\Installer\MSIAD24.tmp, Entrypoint: InstallNohandleDrvCA
InstallNohandleDrv: Warning: Invalid property ignored: FailCA=.
MSI (s) (4C:E4) [09:35:45:456]: Executing op: ActionStart(Name=SavePasswordRules,,)
InstallNohandleDrv: Info: Driver inf file: C:\Program Files\BMW_SplunkUniversalForwarder\bin\SplunkMonitorNoHandleDrv.inf.
MSI (s) (4C:E4) [09:35:45:458]: Executing op: CustomActionSchedule(Action=SavePasswordRules,ActionType=3073,Source=BinaryData,Target=SavePasswordRulesCA,CustomActionData=SplunkHome=C:\Program Files\BMW_SplunkUniversalForwarder\;MinPasswordLowercaseLen=0;MinPasswordUppercaseLen=0;MinPasswordDigitLen=0;MinPasswordSpecialCharLen=0;MinPasswordLen=8;FailCA=)
MSI (s) (4C:2C) [09:35:45:463]: Invoking remote custom action. DLL: C:\Windows\Installer\MSIAD93.tmp, Entrypoint: SavePasswordRulesCA
MSI (s) (4C:E4) [09:35:45:485]: Executing op: ActionStart(Name=CreateFtr,,)
SavePasswordRules: Warning: Invalid property ignored: FailCA=.
MSI (s) (4C:E4) [09:35:45:486]: Executing op: CustomActionSchedule(Action=CreateFtr,ActionType=3073,Source=BinaryData,Target=CreateFtrCA,CustomActionData=SplunkHome=C:\Program Files\BMW_SplunkUniversalForwarder\;FailCA=)
MSI (s) (4C:9C) [09:35:45:492]: Invoking remote custom action. DLL: C:\Windows\Installer\MSIADB3.tmp, Entrypoint: CreateFtrCA
MSI (s) (4C:E4) [09:35:45:514]: Executing op: ActionStart(Name=FirstTimeRun,,)
CreateFtr: Warning: Invalid property ignored: FailCA=.
MSI (s) (4C:E4) [09:35:45:515]: Executing op: CustomActionSchedule(Action=FirstTimeRun,ActionType=3073,Source=BinaryData,Target=FirstTimeRunCA,CustomActionData=SplunkHome=C:\Program Files\BMW_SplunkUniversalForwarder\;FailCA=)
MSI (s) (4C:08) [09:35:45:521]: Invoking remote custom action. DLL: C:\Windows\Installer\MSIADD3.tmp, Entrypoint: FirstTimeRunCA
FirstTimeRun: Warning: Invalid property ignored: FailCA=.
FirstTimeRun: Info: Properties: splunkHome: C:\Program Files\BMW_SplunkUniversalForwarder.
FirstTimeRun: Info: Execute first time run.
FirstTimeRun: Info: Enter. Args: "C:\Program Files\BMW_SplunkUniversalForwarder\bin\splunk.exe", _internal first-time-run --answer-yes --no-prompt
FirstTimeRun: Info: Execute string: cmd.exe /c ""C:\Program Files\BMW_SplunkUniversalForwarder\bin\splunk.exe" _internal first-time-run --answer-yes --no-prompt >> "C:\Users\axy4933\AppData\Local\Temp\splunk.log" 2>&1"
FirstTimeRun: Info: WaitForSingleObject returned : 0x0
FirstTimeRun: Info: Exit code for process : 0xc0000409
FirstTimeRun: Info: Leave.
FirstTimeRun: Error: ExecCmd failed: 0xc0000409.
FirstTimeRun: Error 0x80004005: Cannot execute first time run.
CustomAction FirstTimeRun returned actual error code 1603 (note this may not be 100% accurate if translation happened inside sandbox)
MSI (s) (4C:E4) [09:35:45:886]: Note: 1: 2265 2: 3: -2147287035
MSI (s) (4C:E4) [09:35:45:886]: User policy value 'DisableRollback' is 0
MSI (s) (4C:E4) [09:35:45:886]: Machine policy value 'DisableRollback' is 0
Action ended 09:35:45: InstallFinalize. Return value 3.

Labels (2)
0 Karma

jho-splunk
Splunk Employee
Splunk Employee

Hi @sood31 ,

For some reason, Splunk is crashing.  Are you on the Splunk Community Slack?  I may be able to help you better there if you are.  You can join if you are not already: http://splk.it/slack

Cheers,

 

 - Jo.

 

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Have you tried installing a different version?

---
If this reply helps you, Karma would be appreciated.
0 Karma

sood31
Observer

Yes, have tried installation 7.0.3 but it fails also

0 Karma

richgalloway
SplunkTrust
SplunkTrust

I suggest trying a newer version rather than an older one.

I see the directory name is BMW_SplunkUniversalForwarder, which is not the default.  Have you tried installing with the default directory name?

---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...