Installation

Universal Forwarder Setup Wizard Ended Prematurely Error in v9.0.4 on Server 2019

Entity1
New Member

I'm trying to deploy the Splunk UF on Windows Server 2019 boxes. It fails giving me an message that the forwader installation wizard ended prematurely. I have the following MSI log.

MSI (s) (F0:64) [05:57:42:567]: Note: 1: 2203 2: C:\Windows\Installer\inprogressinstallinfo.ipi 3: -2147287038 
MSI (s) (F0:64) [05:57:42:573]: Machine policy value 'LimitSystemRestoreCheckpointing' is 0
MSI (s) (F0:64) [05:57:42:573]: Note: 1: 1715 2: UniversalForwarder
MSI (s) (F0:64) [05:57:42:573]: Note: 1: 2205 2: 3: Error
MSI (s) (F0:64) [05:57:42:573]: Note: 1: 2228 2: 3: Error 4: SELECT `Message` FROM `Error` WHERE `Error` = 1715
MSI (s) (F0:64) [05:57:42:573]: Calling SRSetRestorePoint API. dwRestorePtType: 0, dwEventType: 102, llSequenceNumber: 0, szDescription: "Installed UniversalForwarder".
MSI (s) (F0:64) [05:57:42:573]: The call to SRSetRestorePoint API failed. Returned status: 0. GetLastError() returned: 127
MSI (s) (F0:64) [05:57:42:577]: File will have security applied from OpCode.
MSI (s) (F0:64) [05:57:42:674]: SOFTWARE RESTRICTION POLICY: Verifying package --> 'C:\Users\Administrator\Downloads\splunkforwarder-9.0.4-de405f4a7979-x64-release.msi' against software restriction policy
MSI (s) (F0:64) [05:57:42:674]: SOFTWARE RESTRICTION POLICY: C:\Users\Administrator\Downloads\splunkforwarder-9.0.4-de405f4a7979-x64-release.msi has a digital signature
MSI (s) (F0:64) [05:57:43:406]: SOFTWARE RESTRICTION POLICY: C:\Users\Administrator\Downloads\splunkforwarder-9.0.4-de405f4a7979-x64-release.msi is permitted to run at the 'unrestricted' authorization level.
MSI (s) (F0:64) [05:57:43:406]: Creating MSIHANDLE (375) of type 790542 for thread 4708
MSI (s) (F0:64) [05:57:43:406]: MSCOREE not loaded loading copy from system32
MSI (s) (F0:64) [05:57:43:406]: End dialog not enabled
MSI (s) (F0:64) [05:57:43:406]: Original package ==> C:\Users\Administrator\Downloads\splunkforwarder-9.0.4-de405f4a7979-x64-release.msi
MSI (s) (F0:64) [05:57:43:406]: Package we're running from ==> C:\Windows\Installer\12c17059.msi
MSI (s) (F0:64) [05:57:43:422]: APPCOMPAT: Compatibility mode property overrides found.
MSI (s) (F0:64) [05:57:43:422]: APPCOMPAT: looking for appcompat database entry with ProductCode '{6C243C23-42E6-46E7-AECC-81428601A55E}'.
MSI (s) (F0:64) [05:57:43:422]: APPCOMPAT: no matching ProductCode found in database.
MSI (s) (F0:64) [05:57:43:422]: Machine policy value 'TransformsSecure' is 1
MSI (s) (F0:64) [05:57:43:422]: Machine policy value 'DisablePatch' is 0
MSI (s) (F0:64) [05:57:43:422]: Machine policy value 'AllowLockdownPatch' is 0
MSI (s) (F0:64) [05:57:43:422]: Machine policy value 'DisableLUAPatching' is 0
MSI (s) (F0:64) [05:57:43:422]: Machine policy value 'DisableFlyWeightPatching' is 0
MSI (s) (F0:64) [05:57:43:422]: Enabling baseline caching for this transaction since all active patches are MSI 3.0 style MSPs or at least one MSI 3.0 minor update patch is active
MSI (s) (F0:64) [05:57:43:422]: APPCOMPAT: looking for appcompat database entry with ProductCode '{6C243C23-42E6-46E7-AECC-81428601A55E}'.
MSI (s) (F0:64) [05:57:43:422]: APPCOMPAT: no matching ProductCode found in database.
MSI (s) (F0:64) [05:57:43:422]: Transforms are not secure.
MSI (s) (F0:64) [05:57:43:422]: PROPERTY CHANGE: Adding MsiLogFileLocation property. Its value is 'C:\Users\Administrator\Downloads\msiexec.log'.
MSI (s) (F0:64) [05:57:43:422]: Command Line: INSTALLDIR=C:\Program Files\SplunkUniversalForwarder\ TARGETDIR=C:\ AGREETOLICENSE=Yes GENRANDOMPASSWORD=0 CURRENTDIRECTORY=C:\Users\Administrator\Downloads CLIENTUILEVEL=0 CLIENTPROCESSID=4760 USERNAME=Windows User SOURCEDIR=C:\Users\Administrator\Downloads\ ACTION=INSTALL EXECUTEACTION=INSTALL ROOTDRIVE=C:\ INSTALLLEVEL=1 SECONDSEQUENCE=1 WIXUI_INSTALLDIR_VALID=1 MONITOR_PATH=C:\Windows\NTDS RECEIVING_INDEXER=172.16.1.3:9997 WINEVENTLOG_APP_ENABLE=1 WINEVENTLOG_SEC_ENABLE=1 WINEVENTLOG_SYS_ENABLE=1 WINEVENTLOG_FWD_ENABLE=0 WINEVENTLOG_SET_ENABLE=0 ENABLEADMON=1 LOGON_PASSWORD=********** LOGON_USERNAME=splunk SPLUNKPASSWORD=********** SPLUNKUSERNAME=********** DEPLOYMENT_SERVER=172.16.1.3:8089 ADDLOCAL=Complete ACTION=INSTALL
MSI (s) (F0:64) [05:57:43:422]: PROPERTY CHANGE: Adding PackageCode property. Its value is '{405F297E-93B0-496F-AD0C-D7EAA614048F}'.
MSI (s) (F0:64) [05:57:43:422]: Product Code passed to Engine.Initialize: ''
MSI (s) (F0:64) [05:57:43:422]: Product Code from property table before transforms: '{6C243C23-42E6-46E7-AECC-81428601A55E}'
MSI (s) (F0:64) [05:57:43:422]: Product Code from property table after transforms: '{6C243C23-42E6-46E7-AECC-81428601A55E}'
MSI (s) (F0:64) [05:57:43:422]: Product not registered: beginning first-time install
MSI (s) (F0:64) [05:57:43:422]: Package name extracted from package path: 'splunkforwarder-9.0.4-de405f4a7979-x64-release.msi'
MSI (s) (F0:64) [05:57:43:422]: Package to be registered: 'splunkforwarder-9.0.4-de405f4a7979-x64-release.msi'
MSI (s) (F0:64) [05:57:43:422]: Note: 1: 2205 2: 3: Error
MSI (s) (F0:64) [05:57:43:422]: Note: 1: 2262 2: AdminProperties 3: -2147287038
MSI (s) (F0:64) [05:57:43:422]: Machine policy value 'DisableMsi' is 1
MSI (s) (F0:64) [05:57:43:422]: Machine policy value 'AlwaysInstallElevated' is 0
MSI (s) (F0:64) [05:57:43:422]: User policy value 'AlwaysInstallElevated' is 0
MSI (s) (F0:64) [05:57:43:422]: Product installation will be elevated because user is admin and product is being installed per-machine.
MSI (s) (F0:64) [05:57:43:422]: Running product '{6C243C23-42E6-46E7-AECC-81428601A55E}' with elevated privileges: Product is assigned.
MSI (s) (F0:64) [05:57:43:422]: PROPERTY CHANGE: Adding INSTALLDIR property. Its value is 'C:\Program Files\SplunkUniversalForwarder\'.
MSI (s) (F0:64) [05:57:43:422]: PROPERTY CHANGE: Adding TARGETDIR property. Its value is 'C:\'.
InstallFiles: File: Copying new files, Directory: , Size: 
MSI (s) (F0:64) [05:57:46:653]: Note: 1: 2205 2: 3: Patch
MSI (s) (F0:64) [05:57:46:653]: Note: 1: 2228 2: 3: Patch 4: SELECT `Patch`.`File_`, `Patch`.`Header`, `Patch`.`Attributes`, `Patch`.`Sequence`, `Patch`.`StreamRef_` FROM `Patch` WHERE `Patch`.`File_` = ? AND `Patch`.`#_MsiActive`=? ORDER BY `Patch`.`Sequence`
MSI (s) (F0:64) [05:57:46:653]: Note: 1: 2205 2: 3: Error
MSI (s) (F0:64) [05:57:46:653]: Note: 1: 2228 2: 3: Error 4: SELECT `Message` FROM `Error` WHERE `Error` = 1302
MSI (s) (F0:64) [05:57:46:653]: Note: 1: 2205 2: 3: MsiSFCBypass
MSI (s) (F0:64) [05:57:46:653]: Note: 1: 2228 2: 3: MsiSFCBypass 4: SELECT `File_` FROM `MsiSFCBypass` WHERE `File_` = ?
MSI (s) (F0:64) [05:57:46:653]: Note: 1: 2205 2: 3: MsiPatchHeaders
MSI (s) (F0:64) [05:57:46:653]: Note: 1: 2228 2: 3: MsiPatchHeaders 4: SELECT `Header` FROM `MsiPatchHeaders` WHERE `StreamRef` = ?
MSI (s) (F0:64) [05:57:46:653]: Note: 1: 2205 2: 3: PatchPackage
MSI (s) (F0:64) [05:57:46:653]: Note: 1: 2205 2: 3: MsiPatchHeaders
MSI (s) (F0:64) [05:57:46:653]: Note: 1: 2205 2: 3: PatchPackage
Action ended 5:57:46: InstallFiles. Return value 1.

 

Labels (2)
0 Karma

pagillar
Explorer

@Entity1 Just checking if you ever found the root cause for this issue, we are facing similar issue on one of our servers.

0 Karma

jho-splunk
Splunk Employee
Splunk Employee

Hi @pagillar,

Please see here for instructions on how to troubleshoot further: https://community.splunk.com/t5/Installation/Install-issue-on-Server-2016/m-p/540173/highlight/true#....

Cheers,

 

  - Jo.

0 Karma
Get Updates on the Splunk Community!

Registration for Splunk University is Now Open!

Are you ready for an adventure in learning?   Brace yourselves because Splunk University is back, and it's ...

Splunkbase | Splunk Dashboard Examples App for SimpleXML End of Life

The Splunk Dashboard Examples App for SimpleXML will reach end of support on Dec 19, 2024, after which no new ...

Understanding Generative AI Techniques and Their Application in Cybersecurity

Watch On-Demand Artificial intelligence is the talk of the town nowadays, with industries of all kinds ...