How do I fix this automatic installation fails wit...

chuckbuford · ‎02-02-2023

Installing the forwarder manually works fine, installing it automatically with the same user account fails with a 1603 error.

Installer logs snippet:

MSI (s) (B8:FC) [09:22:23:304]: Note: 1: 2203 2: C:\Windows\Installer\inprogressinstallinfo.ipi 3: -2147287038
MSI (s) (B8:FC) [09:22:23:304]: Note: 1: 2205 2: 3: LaunchCondition
MSI (s) (B8:FC) [09:22:23:304]: Note: 1: 2228 2: 3: LaunchCondition 4: SELECT `Condition` FROM `LaunchCondition`
MSI (s) (B8:FC) [09:22:23:304]: APPCOMPAT: [DetectVersionLaunchCondition] Failed to initialize pRecErr.
MSI (s) (B8:FC) [09:22:23:304]: PROPERTY CHANGE: Adding ACTION property. Its value is 'INSTALL'.
MSI (s) (B8:FC) [09:22:23:304]: Doing action: INSTALL
MSI (s) (B8:FC) [09:22:23:304]: Note: 1: 2205 2: 3: ActionText
Action start 9:22:23: INSTALL.
MSI (s) (B8:FC) [09:22:23:320]: Running ExecuteSequence
MSI (s) (B8:FC) [09:22:23:320]: Doing action: SetAllUsers
MSI (s) (B8:FC) [09:22:23:320]: Note: 1: 2205 2: 3: ActionText
MSI (s) (B8:EC) [09:22:23:320]: Invoking remote custom action. DLL: C:\Windows\Installer\MSI5F93.tmp, Entrypoint: SetAllUsersCA
MSI (s) (B8:F8) [09:22:23:320]: Generating random cookie.
MSI (s) (B8:F8) [09:22:23:320]: Created Custom Action Server with PID 976 (0x3D0).
MSI (s) (B8:3C) [09:22:23:335]: Running as a service.
MSI (s) (B8:3C) [09:22:23:335]: Hello, I'm your 64bit Impersonated custom action server.
Action start 9:22:23: SetAllUsers.
SetAllUsers: Debug: Num of subkeys found: 1.
SetAllUsers: Info: Previously installed Splunk product is not found.
SetAllUsers: Error: Failed SetAllUsers: 0x2.
SetAllUsers: Info: Leave SetAllUsers: 0x80004005.
CustomAction SetAllUsers returned actual error code 1603 (note this may not be 100% accurate if translation happened inside sandbox)
Action ended 9:22:23: SetAllUsers. Return value 3.
Action ended 9:22:23: INSTALL. Return value 3.

cbreitenstrom · ‎08-15-2024

Installation by domain admin with current UF fails on the domain controller with error 1603 and there are additional loglines that may be usefull:

MSI (s) (F0:34) [08:38:07:344]: Note: 1: 1708 
MSI (s) (F0:34) [08:38:07:344]: Note: 1: 2205 2:  3: Error 
MSI (s) (F0:34) [08:38:07:344]: Note: 1: 2228 2:  3: Error 4: SELECT `Message` FROM `Error` WHERE `Error` = 1708 
MSI (s) (F0:34) [08:38:07:344]: Note: 1: 2205 2:  3: Error 
MSI (s) (F0:34) [08:38:07:344]: Note: 1: 2228 2:  3: Error 4: SELECT `Message` FROM `Error` WHERE `Error` = 1709 
MSI (s) (F0:34) [08:38:07:344]: Product: UniversalForwarder -- Installation failed.

MSI (s) (F0:34) [08:38:07:344]: Das Produkt wurde durch Windows Installer installiert. Produktname: UniversalForwarder. Produktversion: 9.3.0.0. Produktsprache: 1033. Hersteller: Splunk, Inc.. Erfolg- bzw. Fehlerstatus der Installation: 1603.

I thought I would attach the complete log for examination, unfortunably not possible here. Up to the showed lines everything is running good, no hint of missing permissions etc. Any help is appreciated, our project depends on it.

chuckbuford · ‎02-03-2023

Thanks Jo! Unfortunately, I pretty much exhausted everything I could find in the community discussions (including that link).

That link did prompt me to include the logging information in my post though.

Hope that helps.

jho-splunk · ‎02-03-2023

Hi @chuckbuford,

I'm pretty sure the linked answer is the issue, it's just that the culprit here will be a different key that doesn't contain a ProductName value.

Are you on the Splunk-Usergroups Slack, perchance? Feel free to hit me up there. Otherwise I would suggest that you open a case with Support.

Cheers,

- Jo.

jho-splunk · ‎02-03-2023

Hi @chuckbuford,

Please see here: https://community.splunk.com/t5/Getting-Data-In/unable-to-install-universal-forwarder-windows-10/td-....

Cheers,

- Jo.

2MuchC0ff33 · ‎02-02-2023

The 1603 error code during an automatic Splunk Universal Forwarder installation is most likely caused by a failure in the SetAllUsers custom action. This could be due to a variety of factors, including, but not limited to, insufficient permissions, an earlier version of Splunk installed, or an issue with the installation package. You can try the following steps to resolve this issue:

Check that the user account used for the automatic installation has adequate permissions.
Uninstall any previous Splunk installations.
Use a fresh installation package or download a new one from the Splunk website.
If the problem persists, collect the MSI logs for further investigation. The logs can assist in determining the exact cause of the error and provide additional information for troubleshooting.

The Splunk documentation contains information about the 1603 error. The official documentation can be found here: https://docs.splunk.com/Documentation/Forwarder/7.3.1/Forwarder/TroubleshoottheSplunkforwarderinstal...

SvenBirke · ‎04-27-2023

I get the same 1603 error but only on our Exchange Servers, DCs or regular servers work fine without an error.

Is there anything different on Exchange during setup?

1. User is Domain Admin
2. No previous installations
3. latest MSI

jho-splunk · ‎05-21-2023

Hi @SvenBirke,

I can confirm that the Splunk Windows Installer package does not do anything special on servers that are running Exchange. Were you able to follow the instructions in the link I posted above?

Cheers,

- Jo.

chuckbuford · ‎02-03-2023

Unfortunately, that link doesn't resolve to anything for me.

How do I fix this automatic installation fails with 1603 error?

universal forwarder

Windows

Video | Welcome Back to Smartness, Pedro

Detector Best Practices: Static Thresholds

Expert Tips from Splunk Education, Observability in Action, Plus More New Articles on ...