Splunk Agent installation failed 7.3.3

sood31 · ‎08-02-2021

Splunk installation does not work on one server and below are logs, could you pls point to right direction, where to look at and why this is failing.

We have already tried clean boot/Install, Removed AV and any third party security softwares to see that helps or not but it does not. Reboot system multiple times but no luck, Removed Encryption no luck, we are running out of ideas, if you could help, that would be great!

MSI (s) (4C:E4) [09:35:45:084]: Executing op: FileCopy(SourceName=ssmotatu.con|web.conf,SourceCabKey=filFFD0A48B92D564AD2586EEDC3AF570B4,DestName=web.conf,Attributes=512,FileSize=83,PerTick=65536,,VerifyMedia=1,,,,,CheckCRC=0,,,InstallMode=58982400,HashOptions=0,HashPart1=493118281,HashPart2=-1532812437,HashPart3=-875473769,HashPart4=68786463,,)
MSI (s) (4C:E4) [09:35:45:085]: File: C:\Program Files\BMW_SplunkUniversalForwarder\etc\apps\SplunkUniversalForwarder\default\web.conf; To be installed; Won't patch; No existing file
MSI (s) (4C:E4) [09:35:45:085]: Source for file 'filFFD0A48B92D564AD2586EEDC3AF570B4' is compressed
MSI (s) (4C:E4) [09:35:45:086]: Executing op: CacheSizeFlush(,)
MSI (s) (4C:E4) [09:35:45:086]: Executing op: ActionStart(Name=RollbackRegmonDrv,,)
MSI (s) (4C:E4) [09:35:45:092]: Executing op: CustomActionSchedule(Action=RollbackRegmonDrv,ActionType=3329,Source=BinaryData,Target=UninstallRegmonDrvCA,CustomActionData=SplunkHome=C:\Program Files\BMW_SplunkUniversalForwarder\;FailCA=)
MSI (s) (4C:E4) [09:35:45:097]: Executing op: ActionStart(Name=InstallRegmonDrv,,)
MSI (s) (4C:E4) [09:35:45:098]: Executing op: CustomActionSchedule(Action=InstallRegmonDrv,ActionType=3073,Source=BinaryData,Target=InstallRegmonDrvCA,CustomActionData=SplunkHome=C:\Program Files\BMW_SplunkUniversalForwarder\;LEGACYDRV=1;FailCA=)
MSI (s) (4C:F4) [09:35:45:103]: Invoking remote custom action. DLL: C:\Windows\Installer\MSIAC28.tmp, Entrypoint: InstallRegmonDrvCA
MSI (s) (4C:58) [09:35:45:104]: Generating random cookie.
MSI (s) (4C:58) [09:35:45:107]: Created Custom Action Server with PID 11196 (0x2BBC).
MSI (s) (4C:08) [09:35:45:127]: Running as a service.
MSI (s) (4C:08) [09:35:45:130]: Hello, I'm your 64bit Elevated Non-remapped custom action server.
InstallRegmonDrv: Warning: Invalid property ignored: FailCA=.
MSI (s) (4C:E4) [09:35:45:234]: Executing op: ActionStart(Name=RollbackNetmonDrv,,)
InstallRegmonDrv: Info: Driver inf file: C:\Program Files\BMW_SplunkUniversalForwarder\bin\splunkdrv.inf.
MSI (s) (4C:E4) [09:35:45:235]: Executing op: CustomActionSchedule(Action=RollbackNetmonDrv,ActionType=3329,Source=BinaryData,Target=UninstallNetmonDrvCA,CustomActionData=SplunkHome=C:\Program Files\BMW_SplunkUniversalForwarder\;FailCA=)
MSI (s) (4C:E4) [09:35:45:241]: Executing op: ActionStart(Name=InstallNetmonDrv,,)
MSI (s) (4C:E4) [09:35:45:242]: Executing op: CustomActionSchedule(Action=InstallNetmonDrv,ActionType=3073,Source=BinaryData,Target=InstallNetmonDrvCA,CustomActionData=SplunkHome=C:\Program Files\BMW_SplunkUniversalForwarder\;LEGACYDRV=1;FailCA=)
MSI (s) (4C:30) [09:35:45:248]: Invoking remote custom action. DLL: C:\Windows\Installer\MSIACB6.tmp, Entrypoint: InstallNetmonDrvCA
InstallNetmonDrv: Warning: Invalid property ignored: FailCA=.
MSI (s) (4C:E4) [09:35:45:346]: Executing op: ActionStart(Name=RollbackNohandleDrv,,)
InstallNetmonDrv: Info: Driver inf file: C:\Program Files\BMW_SplunkUniversalForwarder\bin\splknetdrv.inf.
MSI (s) (4C:E4) [09:35:45:347]: Executing op: CustomActionSchedule(Action=RollbackNohandleDrv,ActionType=3329,Source=BinaryData,Target=UninstallNohandleDrvCA,CustomActionData=SplunkHome=C:\Program Files\BMW_SplunkUniversalForwarder\;FailCA=)
MSI (s) (4C:E4) [09:35:45:352]: Executing op: ActionStart(Name=InstallNohandleDrv,,)
MSI (s) (4C:E4) [09:35:45:353]: Executing op: CustomActionSchedule(Action=InstallNohandleDrv,ActionType=3073,Source=BinaryData,Target=InstallNohandleDrvCA,CustomActionData=SplunkHome=C:\Program Files\BMW_SplunkUniversalForwarder\;LEGACYDRV=1;FailCA=)
MSI (s) (4C:D8) [09:35:45:359]: Invoking remote custom action. DLL: C:\Windows\Installer\MSIAD24.tmp, Entrypoint: InstallNohandleDrvCA
InstallNohandleDrv: Warning: Invalid property ignored: FailCA=.
MSI (s) (4C:E4) [09:35:45:456]: Executing op: ActionStart(Name=SavePasswordRules,,)
InstallNohandleDrv: Info: Driver inf file: C:\Program Files\BMW_SplunkUniversalForwarder\bin\SplunkMonitorNoHandleDrv.inf.
MSI (s) (4C:E4) [09:35:45:458]: Executing op: CustomActionSchedule(Action=SavePasswordRules,ActionType=3073,Source=BinaryData,Target=SavePasswordRulesCA,CustomActionData=SplunkHome=C:\Program Files\BMW_SplunkUniversalForwarder\;MinPasswordLowercaseLen=0;MinPasswordUppercaseLen=0;MinPasswordDigitLen=0;MinPasswordSpecialCharLen=0;MinPasswordLen=8;FailCA=)
MSI (s) (4C:2C) [09:35:45:463]: Invoking remote custom action. DLL: C:\Windows\Installer\MSIAD93.tmp, Entrypoint: SavePasswordRulesCA
MSI (s) (4C:E4) [09:35:45:485]: Executing op: ActionStart(Name=CreateFtr,,)
SavePasswordRules: Warning: Invalid property ignored: FailCA=.
MSI (s) (4C:E4) [09:35:45:486]: Executing op: CustomActionSchedule(Action=CreateFtr,ActionType=3073,Source=BinaryData,Target=CreateFtrCA,CustomActionData=SplunkHome=C:\Program Files\BMW_SplunkUniversalForwarder\;FailCA=)
MSI (s) (4C:9C) [09:35:45:492]: Invoking remote custom action. DLL: C:\Windows\Installer\MSIADB3.tmp, Entrypoint: CreateFtrCA
MSI (s) (4C:E4) [09:35:45:514]: Executing op: ActionStart(Name=FirstTimeRun,,)
CreateFtr: Warning: Invalid property ignored: FailCA=.
MSI (s) (4C:E4) [09:35:45:515]: Executing op: CustomActionSchedule(Action=FirstTimeRun,ActionType=3073,Source=BinaryData,Target=FirstTimeRunCA,CustomActionData=SplunkHome=C:\Program Files\BMW_SplunkUniversalForwarder\;FailCA=)
MSI (s) (4C:08) [09:35:45:521]: Invoking remote custom action. DLL: C:\Windows\Installer\MSIADD3.tmp, Entrypoint: FirstTimeRunCA
FirstTimeRun: Warning: Invalid property ignored: FailCA=.
FirstTimeRun: Info: Properties: splunkHome: C:\Program Files\BMW_SplunkUniversalForwarder.
FirstTimeRun: Info: Execute first time run.
FirstTimeRun: Info: Enter. Args: "C:\Program Files\BMW_SplunkUniversalForwarder\bin\splunk.exe", _internal first-time-run --answer-yes --no-prompt
FirstTimeRun: Info: Execute string: cmd.exe /c ""C:\Program Files\BMW_SplunkUniversalForwarder\bin\splunk.exe" _internal first-time-run --answer-yes --no-prompt >> "C:\Users\axy4933\AppData\Local\Temp\splunk.log" 2>&1"
FirstTimeRun: Info: WaitForSingleObject returned : 0x0
FirstTimeRun: Info: Exit code for process : 0xc0000409
FirstTimeRun: Info: Leave.
FirstTimeRun: Error: ExecCmd failed: 0xc0000409.
FirstTimeRun: Error 0x80004005: Cannot execute first time run.
CustomAction FirstTimeRun returned actual error code 1603 (note this may not be 100% accurate if translation happened inside sandbox)
MSI (s) (4C:E4) [09:35:45:886]: Note: 1: 2265 2: 3: -2147287035
MSI (s) (4C:E4) [09:35:45:886]: User policy value 'DisableRollback' is 0
MSI (s) (4C:E4) [09:35:45:886]: Machine policy value 'DisableRollback' is 0
Action ended 09:35:45: InstallFinalize. Return value 3.

jho-splunk · ‎08-04-2021

Hi @sood31 ,

For some reason, Splunk is crashing. Are you on the Splunk Community Slack? I may be able to help you better there if you are. You can join if you are not already: http://splk.it/slack

Cheers,

- Jo.

richgalloway · ‎08-03-2021

Have you tried installing a different version?

---
If this reply helps you, Karma would be appreciated.

sood31 · ‎08-03-2021

Yes, have tried installation 7.0.3 but it fails also

richgalloway · ‎08-04-2021

I suggest trying a newer version rather than an older one.

I see the directory name is BMW_SplunkUniversalForwarder, which is not the default. Have you tried installing with the default directory name?

---
If this reply helps you, Karma would be appreciated.

Splunk Agent installation failed 7.3.3

universal forwarder

Windows

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!