Re: Universal Forwarder Setup Wizard Ended Prematu...

Entity1 · ‎02-21-2023

I'm trying to deploy the Splunk UF on Windows Server 2019 boxes. It fails giving me an message that the forwader installation wizard ended prematurely. I have the following MSI log.

MSI (s) (F0:64) [05:57:42:567]: Note: 1: 2203 2: C:\Windows\Installer\inprogressinstallinfo.ipi 3: -2147287038 
MSI (s) (F0:64) [05:57:42:573]: Machine policy value 'LimitSystemRestoreCheckpointing' is 0
MSI (s) (F0:64) [05:57:42:573]: Note: 1: 1715 2: UniversalForwarder 
MSI (s) (F0:64) [05:57:42:573]: Note: 1: 2205 2: 3: Error 
MSI (s) (F0:64) [05:57:42:573]: Note: 1: 2228 2: 3: Error 4: SELECT `Message` FROM `Error` WHERE `Error` = 1715 
MSI (s) (F0:64) [05:57:42:573]: Calling SRSetRestorePoint API. dwRestorePtType: 0, dwEventType: 102, llSequenceNumber: 0, szDescription: "Installed UniversalForwarder".
MSI (s) (F0:64) [05:57:42:573]: The call to SRSetRestorePoint API failed. Returned status: 0. GetLastError() returned: 127
MSI (s) (F0:64) [05:57:42:577]: File will have security applied from OpCode.
MSI (s) (F0:64) [05:57:42:674]: SOFTWARE RESTRICTION POLICY: Verifying package --> 'C:\Users\Administrator\Downloads\splunkforwarder-9.0.4-de405f4a7979-x64-release.msi' against software restriction policy
MSI (s) (F0:64) [05:57:42:674]: SOFTWARE RESTRICTION POLICY: C:\Users\Administrator\Downloads\splunkforwarder-9.0.4-de405f4a7979-x64-release.msi has a digital signature
MSI (s) (F0:64) [05:57:43:406]: SOFTWARE RESTRICTION POLICY: C:\Users\Administrator\Downloads\splunkforwarder-9.0.4-de405f4a7979-x64-release.msi is permitted to run at the 'unrestricted' authorization level.
MSI (s) (F0:64) [05:57:43:406]: Creating MSIHANDLE (375) of type 790542 for thread 4708
MSI (s) (F0:64) [05:57:43:406]: MSCOREE not loaded loading copy from system32
MSI (s) (F0:64) [05:57:43:406]: End dialog not enabled
MSI (s) (F0:64) [05:57:43:406]: Original package ==> C:\Users\Administrator\Downloads\splunkforwarder-9.0.4-de405f4a7979-x64-release.msi
MSI (s) (F0:64) [05:57:43:406]: Package we're running from ==> C:\Windows\Installer\12c17059.msi
MSI (s) (F0:64) [05:57:43:422]: APPCOMPAT: Compatibility mode property overrides found.
MSI (s) (F0:64) [05:57:43:422]: APPCOMPAT: looking for appcompat database entry with ProductCode '{6C243C23-42E6-46E7-AECC-81428601A55E}'.
MSI (s) (F0:64) [05:57:43:422]: APPCOMPAT: no matching ProductCode found in database.
MSI (s) (F0:64) [05:57:43:422]: Machine policy value 'TransformsSecure' is 1
MSI (s) (F0:64) [05:57:43:422]: Machine policy value 'DisablePatch' is 0
MSI (s) (F0:64) [05:57:43:422]: Machine policy value 'AllowLockdownPatch' is 0
MSI (s) (F0:64) [05:57:43:422]: Machine policy value 'DisableLUAPatching' is 0
MSI (s) (F0:64) [05:57:43:422]: Machine policy value 'DisableFlyWeightPatching' is 0
MSI (s) (F0:64) [05:57:43:422]: Enabling baseline caching for this transaction since all active patches are MSI 3.0 style MSPs or at least one MSI 3.0 minor update patch is active
MSI (s) (F0:64) [05:57:43:422]: APPCOMPAT: looking for appcompat database entry with ProductCode '{6C243C23-42E6-46E7-AECC-81428601A55E}'.
MSI (s) (F0:64) [05:57:43:422]: APPCOMPAT: no matching ProductCode found in database.
MSI (s) (F0:64) [05:57:43:422]: Transforms are not secure.
MSI (s) (F0:64) [05:57:43:422]: PROPERTY CHANGE: Adding MsiLogFileLocation property. Its value is 'C:\Users\Administrator\Downloads\msiexec.log'.
MSI (s) (F0:64) [05:57:43:422]: Command Line: INSTALLDIR=C:\Program Files\SplunkUniversalForwarder\ TARGETDIR=C:\ AGREETOLICENSE=Yes GENRANDOMPASSWORD=0 CURRENTDIRECTORY=C:\Users\Administrator\Downloads CLIENTUILEVEL=0 CLIENTPROCESSID=4760 USERNAME=Windows User SOURCEDIR=C:\Users\Administrator\Downloads\ ACTION=INSTALL EXECUTEACTION=INSTALL ROOTDRIVE=C:\ INSTALLLEVEL=1 SECONDSEQUENCE=1 WIXUI_INSTALLDIR_VALID=1 MONITOR_PATH=C:\Windows\NTDS RECEIVING_INDEXER=172.16.1.3:9997 WINEVENTLOG_APP_ENABLE=1 WINEVENTLOG_SEC_ENABLE=1 WINEVENTLOG_SYS_ENABLE=1 WINEVENTLOG_FWD_ENABLE=0 WINEVENTLOG_SET_ENABLE=0 ENABLEADMON=1 LOGON_PASSWORD=********** LOGON_USERNAME=splunk SPLUNKPASSWORD=********** SPLUNKUSERNAME=********** DEPLOYMENT_SERVER=172.16.1.3:8089 ADDLOCAL=Complete ACTION=INSTALL 
MSI (s) (F0:64) [05:57:43:422]: PROPERTY CHANGE: Adding PackageCode property. Its value is '{405F297E-93B0-496F-AD0C-D7EAA614048F}'.
MSI (s) (F0:64) [05:57:43:422]: Product Code passed to Engine.Initialize: ''
MSI (s) (F0:64) [05:57:43:422]: Product Code from property table before transforms: '{6C243C23-42E6-46E7-AECC-81428601A55E}'
MSI (s) (F0:64) [05:57:43:422]: Product Code from property table after transforms: '{6C243C23-42E6-46E7-AECC-81428601A55E}'
MSI (s) (F0:64) [05:57:43:422]: Product not registered: beginning first-time install

MSI (s) (F0:64) [05:57:43:422]: Package name extracted from package path: 'splunkforwarder-9.0.4-de405f4a7979-x64-release.msi'
MSI (s) (F0:64) [05:57:43:422]: Package to be registered: 'splunkforwarder-9.0.4-de405f4a7979-x64-release.msi'
MSI (s) (F0:64) [05:57:43:422]: Note: 1: 2205 2: 3: Error 
MSI (s) (F0:64) [05:57:43:422]: Note: 1: 2262 2: AdminProperties 3: -2147287038 
MSI (s) (F0:64) [05:57:43:422]: Machine policy value 'DisableMsi' is 1
MSI (s) (F0:64) [05:57:43:422]: Machine policy value 'AlwaysInstallElevated' is 0
MSI (s) (F0:64) [05:57:43:422]: User policy value 'AlwaysInstallElevated' is 0
MSI (s) (F0:64) [05:57:43:422]: Product installation will be elevated because user is admin and product is being installed per-machine.
MSI (s) (F0:64) [05:57:43:422]: Running product '{6C243C23-42E6-46E7-AECC-81428601A55E}' with elevated privileges: Product is assigned.
MSI (s) (F0:64) [05:57:43:422]: PROPERTY CHANGE: Adding INSTALLDIR property. Its value is 'C:\Program Files\SplunkUniversalForwarder\'.
MSI (s) (F0:64) [05:57:43:422]: PROPERTY CHANGE: Adding TARGETDIR property. Its value is 'C:\'.

InstallFiles: File: Copying new files, Directory: , Size: 
MSI (s) (F0:64) [05:57:46:653]: Note: 1: 2205 2: 3: Patch 
MSI (s) (F0:64) [05:57:46:653]: Note: 1: 2228 2: 3: Patch 4: SELECT `Patch`.`File_`, `Patch`.`Header`, `Patch`.`Attributes`, `Patch`.`Sequence`, `Patch`.`StreamRef_` FROM `Patch` WHERE `Patch`.`File_` = ? AND `Patch`.`#_MsiActive`=? ORDER BY `Patch`.`Sequence` 
MSI (s) (F0:64) [05:57:46:653]: Note: 1: 2205 2: 3: Error 
MSI (s) (F0:64) [05:57:46:653]: Note: 1: 2228 2: 3: Error 4: SELECT `Message` FROM `Error` WHERE `Error` = 1302 
MSI (s) (F0:64) [05:57:46:653]: Note: 1: 2205 2: 3: MsiSFCBypass 
MSI (s) (F0:64) [05:57:46:653]: Note: 1: 2228 2: 3: MsiSFCBypass 4: SELECT `File_` FROM `MsiSFCBypass` WHERE `File_` = ? 
MSI (s) (F0:64) [05:57:46:653]: Note: 1: 2205 2: 3: MsiPatchHeaders 
MSI (s) (F0:64) [05:57:46:653]: Note: 1: 2228 2: 3: MsiPatchHeaders 4: SELECT `Header` FROM `MsiPatchHeaders` WHERE `StreamRef` = ? 
MSI (s) (F0:64) [05:57:46:653]: Note: 1: 2205 2: 3: PatchPackage 
MSI (s) (F0:64) [05:57:46:653]: Note: 1: 2205 2: 3: MsiPatchHeaders 
MSI (s) (F0:64) [05:57:46:653]: Note: 1: 2205 2: 3: PatchPackage 
Action ended 5:57:46: InstallFiles. Return value 1.

pagillar · ‎08-29-2023

@Entity1 Just checking if you ever found the root cause for this issue, we are facing similar issue on one of our servers.

jho-splunk · ‎08-30-2023

Hi @pagillar,

Please see here for instructions on how to troubleshoot further: https://community.splunk.com/t5/Installation/Install-issue-on-Server-2016/m-p/540173/highlight/true#....

Cheers,

- Jo.

Universal Forwarder Setup Wizard Ended Prematurely Error in v9.0.4 on Server 2019

universal forwarder

Windows

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?