All Apps and Add-ons

Universal Forwarder Server 2012 R2 Hangs

da7rutrak
Explorer

While trying to install the 6.0.1 x64 universal forwarder on an Azure Server 2012 R2 Datacenter VM that has the ADDS roles installed, the install just "hangs" forever. It gets through the copy process, and I can see the four install messages in the Windows Application log, however it never completes.

This is the only meaningful log file I can locate (var\logs\splunk\splunkd-utility.log)

12-24-2013 12:34:44.977 -0800 INFO  ServerConfig - My server name is "drewlabdc01".
12-24-2013 12:34:44.977 -0800 INFO  ServerConfig - My hostname is "DREWLABDC01".
12-24-2013 12:34:45.008 -0800 INFO  ServerConfig - Setting HTTP server compression state=on
12-24-2013 12:34:45.008 -0800 INFO  ServerConfig - Setting HTTP client compression state=0 (false)
12-24-2013 12:34:45.008 -0800 INFO  ServerConfig - Default output queue for file-based input: parsingQueue.
12-24-2013 12:34:45.805 -0800 INFO  loader - Running utility: "check-transforms-keys"
12-24-2013 12:34:45.805 -0800 INFO  loader - Getting configuration data from: C:\Program Files\SplunkUniversalForwarder\etc\myinstall\splunkd.xml
12-24-2013 12:34:45.805 -0800 INFO  loader - SPLUNK_MODULE_PATH environment variable not found - defaulting to C:\Program Files\SplunkUniversalForwarder\etc\modules
12-24-2013 12:34:45.805 -0800 INFO  loader - loading modules from C:\Program Files\SplunkUniversalForwarder\etc\modules
12-24-2013 12:34:45.805 -0800 INFO  loader - Writing out composite configuration file: C:\Program Files\SplunkUniversalForwarder\var\run\splunk\composite.xml
12-24-2013 12:34:53.849 -0800 INFO  loader - Splunkd starting (build 189883).
12-24-2013 12:34:53.849 -0800 INFO  loader - System info: Windows, DREWLABDC01, 2, 6, x64.
12-24-2013 12:34:53.849 -0800 INFO  loader - Detected 1 (virtual) CPUs and 1791MB RAM
12-24-2013 12:34:53.849 -0800 INFO  loader - Maximum number of threads (approximate): 895
12-24-2013 12:34:53.849 -0800 INFO  loader - Arguments are: "rest" "--noauth" "POST" "/services/apps/local/SplunkUniversalForwarder/enable"
12-24-2013 12:34:53.849 -0800 INFO  loader - Getting configuration data from: C:\Program Files\SplunkUniversalForwarder\etc\myinstall\splunkd.xml
12-24-2013 12:34:53.849 -0800 INFO  loader - SPLUNK_MODULE_PATH environment variable not found - defaulting to C:\Program Files\SplunkUniversalForwarder\etc\modules
12-24-2013 12:34:53.849 -0800 INFO  loader - loading modules from C:\Program Files\SplunkUniversalForwarder\etc\modules
12-24-2013 12:34:53.849 -0800 INFO  loader - Writing out composite configuration file: C:\Program Files\SplunkUniversalForwarder\var\run\splunk\composite.xml
12-24-2013 12:34:53.865 -0800 ERROR RESTTester - tenant service initialization failed
12-24-2013 12:34:53.865 -0800 INFO  ServerConfig - My server name is "drewlabdc01".
12-24-2013 12:34:53.865 -0800 INFO  ServerConfig - My hostname is "DREWLABDC01".
12-24-2013 12:34:53.880 -0800 INFO  ServerConfig - Setting HTTP server compression state=on
12-24-2013 12:34:53.880 -0800 INFO  ServerConfig - Setting HTTP client compression state=0 (false)
12-24-2013 12:34:53.880 -0800 INFO  ServerConfig - Default output queue for file-based input: parsingQueue.
12-24-2013 12:34:54.865 -0800 WARN  LocalAppsAdminHandler - User 'splunk-system-user' triggered the 'enable' action on app 'SplunkUniversalForwarder', and the following objects required a restart: default-mode, limits, server, web
12-24-2013 12:34:56.178 -0800 INFO  loader - Splunkd starting (build 189883).
12-24-2013 12:34:56.178 -0800 INFO  loader - System info: Windows, DREWLABDC01, 2, 6, x64.
12-24-2013 12:34:56.178 -0800 INFO  loader - Detected 1 (virtual) CPUs and 1791MB RAM
12-24-2013 12:34:56.178 -0800 INFO  loader - Maximum number of threads (approximate): 895
12-24-2013 12:34:56.178 -0800 INFO  loader - Arguments are: "rest" "--noauth" "POST" "/servicesNS/nobody/SplunkUniversalForwarder/data/outputs/tcp/server" "name=drewsplunk.transnational.local:9997"
12-24-2013 12:34:56.178 -0800 INFO  loader - Getting configuration data from: C:\Program Files\SplunkUniversalForwarder\etc\myinstall\splunkd.xml
12-24-2013 12:34:56.178 -0800 INFO  loader - SPLUNK_MODULE_PATH environment variable not found - defaulting to C:\Program Files\SplunkUniversalForwarder\etc\modules
12-24-2013 12:34:56.178 -0800 INFO  loader - loading modules from C:\Program Files\SplunkUniversalForwarder\etc\modules
12-24-2013 12:34:56.194 -0800 INFO  loader - Writing out composite configuration file: C:\Program Files\SplunkUniversalForwarder\var\run\splunk\composite.xml
12-24-2013 12:34:56.194 -0800 ERROR RESTTester - tenant service initialization failed
12-24-2013 12:34:56.210 -0800 INFO  ServerConfig - My server name is "drewlabdc01".
12-24-2013 12:34:56.210 -0800 INFO  ServerConfig - My hostname is "DREWLABDC01".
12-24-2013 12:34:56.225 -0800 INFO  ServerConfig - Setting HTTP server compression state=on
12-24-2013 12:34:56.225 -0800 INFO  ServerConfig - Setting HTTP client compression state=0 (false)
12-24-2013 12:34:56.225 -0800 INFO  ServerConfig - Default output queue for file-based input: parsingQueue.

I've tried re-installing it several times, both set as Local Data only and as a Remote Data setup using a domain service account with the privileges defined in the Prepare the Splunk App for Active Directory add-ons link.

The only way to close the installer is to start ending tasks (Installer GUI is responsive though) and eventually one of the processes flags a rollback. It usually errors stating it can't remove services, etc. I then reboot, clean the registry, reboot again and use PowerShell to remove the SplunkUniversalForwarder directory.

I'm trying to do this in a lab set-up before I pitch the universal forwarders as the right way to go to my management chain. This has not been a great success so far...

phoffman_splunk
Splunk Employee
Splunk Employee

There is a known issue for hanging installs on 6.0.1

http://docs.splunk.com/Documentation/Splunk/latest/ReleaseNotes/Knownissues#Windows-specific_issues

"Installing the Windows universal forwarder with the Deployment Server and Indexer fields populated can cause the installation to hang. Leave these fields blank and the installation will complete successfully. (SPL-78756)"

0 Karma

gregdent
New Member

I'm getting this issue with an ADDS domain controller, running 2008R2 (using the 64bit installer).

At first I thought this was due to the installation directory and UAC protecting the ProgFiles folder. But I've tried reinstalling to another drive entirely with the same issues.

Is the Splunk forwarder supported on a Windows Domain Controller at all?

0 Karma

gregdent
New Member

Where is the log file located?

0 Karma

wolf_nir
Explorer

I managed to successfully finish the installation after installing .NET 4 on the server.
The error messages still appear in the log.

0 Karma

wolf_nir
Explorer

I'm getting the same issue on Win 2008 32 bit + R2 64 bit which are supported.

See: http://answers.splunk.com//answers/122255/splunk-forwarder-601-installation-on-win-2008-32-bit-r2-64...

skylasam_splunk
Splunk Employee
Splunk Employee

Hi,
We currently don't support Server 2012 R2. Can you try with Server 2012 instead which is officially supported.

da7rutrak
Explorer

I could potentially do that, however shouldn't the installer let me know it's an unsupported OS and not let me proceed?

0 Karma
Get Updates on the Splunk Community!

The Splunk Success Framework: Your Guide to Successful Splunk Implementations

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Splunk Education believes in the value of training and certification in today’s rapidly-changing data-driven ...

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...