Installation

Upgrade of Splunk Universal Forwarder - "Specified account already exists"

jmcg-imperva
Engager

Hi,

I'm trying to update the Splunk UF on a machine, but when running the MSI installer I'm getting a "The specified account already exists" and then the MSI fails to install. 

I've googled some generic failures around this, but none have worked so far.

Has anyone experienced this or able to flag to how troubleshoot it?

Thanks.

Labels (3)
0 Karma
1 Solution

jho-splunk
Splunk Employee
Splunk Employee

Hi again @jmcg-imperva!

Interesting.  Based on this article, I wonder if there's something wonky in the Registry: https://kc.mcafee.com/corporate/index?page=content&id=KB88018

May I ask what version you're upgrading from, and what version you're upgrading to?

Cheers,

 

 - Jo.

 

View solution in original post

jho-splunk
Splunk Employee
Splunk Employee

Hi @jmcg-imperva ,

Try rerunning the installation with logging enabled:

msiexec /l*vx msiexec.log /i <splunk.msi>

Then search for "return value 3", and look at a few lines before it.

If it's not obvious from that, please feel free to post a snippet here.

Cheers,

 

 - Jo.

 

0 Karma

jmcg-imperva
Engager

Thanks Jo!

Log extract as below:

MSI (s) (F0:48) [16:31:03:074]: PROPERTY CHANGE: Adding SourceDir property. Its value is 'C:\Windows\Installer\'.
MSI (s) (F0:48) [16:31:03:074]: PROPERTY CHANGE: Adding SOURCEDIR property. Its value is 'C:\Windows\Installer\'.
MSI (s) (F0:48) [16:31:03:074]: PROPERTY CHANGE: Adding SourcedirProduct property. Its value is '{D23A0D86-94B2-4BFA-9703-4C403A602C33}'.
MSI (s) (F0:48) [16:31:03:074]: SOURCEDIR ==> C:\Windows\Installer\
MSI (s) (F0:48) [16:31:03:074]: SOURCEDIR product ==> {D23A0D86-94B2-4BFA-9703-4C403A602C33}
MSI (s) (F0:48) [16:31:03:074]: SECREPAIR: CryptAcquireContext succeeded
MSI (s) (F0:48) [16:31:03:074]: Using cached product context: machine assigned for product: 68D0A32D2B49AFB47930C404A306C233
MSI (s) (F0:48) [16:31:03:074]: Determining source type
MSI (s) (F0:48) [16:31:03:074]: Note: 1: 2203 2: C:\Windows\Installer\splunkFW.msi 3: -2147287038 
MSI (s) (F0:48) [16:31:03:074]: Note: 1: 1316 2: C:\Windows\Installer\splunkFW.msi 
MSI (s) (F0:48) [16:31:03:074]: SECREPAIR: Error determining package source type
MSI (s) (F0:48) [16:31:03:074]: SECUREREPAIR: SecureRepair Failed. Error code: 52473D75628
Error 1316. The specified account already exists.

MSI (s) (F0:48) [16:31:04:371]: Note: 1: 2205 2:  3: Error 
MSI (s) (F0:48) [16:31:04:371]: Note: 1: 2228 2:  3: Error 4: SELECT `Message` FROM `Error` WHERE `Error` = 1709 
MSI (s) (F0:48) [16:31:04:371]: Product: UniversalForwarder -- Error 1316. The specified account already exists.

Action ended 16:31:04: InstallFinalize. Return value 3.
0 Karma

jho-splunk
Splunk Employee
Splunk Employee

Hi again @jmcg-imperva!

Interesting.  Based on this article, I wonder if there's something wonky in the Registry: https://kc.mcafee.com/corporate/index?page=content&id=KB88018

May I ask what version you're upgrading from, and what version you're upgrading to?

Cheers,

 

 - Jo.

 

Tyler
Explorer

This was the issue for me as well, but unfortunately renaming isn't as straight forward. PackageName is a GUID, not a filename. Since I deploy through Intune, I assume this is why. The GUID is likely of the app package file.

In the end, I used Orca to change the PackageCode and ProductCode GUIDs. Then, I could install like normal,

 

msiexec.exe /i "C:\Path\To\splunkuf.msi"

 

Why? There's no easy way to change the service account credentials or the Pass4SymmKey. A reinstall is the easiest, and the most reliable. Using MSIs in this way is a bit "unorthodox".

0 Karma

jmcg-imperva
Engager

Hey @jho-splunk ,

Thanks for the info.

I found the registry entry under that branch & removed it. It seemed that the UF agent was on the machine a while ago but wasn't there now. I deleted the branch & the install then completed.

Cheers,
Joni.

0 Karma

jho-splunk
Splunk Employee
Splunk Employee

Hey @jmcg-imperva!

Awesome!  Thanks for letting us know!  &:)

Cheers,

 

 - Jo.

 

0 Karma
Get Updates on the Splunk Community!

Ready, Set, SOAR: How Utility Apps Can Up Level Your Playbooks!

 WATCH NOW Powering your capabilities has never been so easy with ready-made Splunk® SOAR Utility Apps. Parse ...

DevSecOps: Why You Should Care and How To Get Started

 WATCH NOW In this Tech Talk we will talk about what people mean by DevSecOps and deep dive into the different ...

Introducing Ingest Actions: Filter, Mask, Route, Repeat

WATCH NOW Ingest Actions (IA) is the best new way to easily filter, mask and route your data in Splunk® ...