Installing the Splunk 6.0 Universal Forwarder on Windows

I’m currently working on getting all the Splunk apps that I am responsible for upgraded so that they use the Splunk 6 Universal Forwarder. Naturally, that means a whole slew of installs on Windows Server in various configurations. I bumped into a small hitch while I was doing Microsoft SharePoint. SharePoint requires me to run the Universal Forwarder as a domain user.

No problem, you say. Just follow the instructions in the excellent documentation, or one of my many blog posts. However, I came across a hitch. You see, in the Splunk 6 Universal Forwarder installer, we check for a few things to ensure you are installing things properly. As a result, if you are installing Splunk 6 to run as a domain user, you must run the installer as an Administrator.

The problem is, of course, how do you do this? I’m not using an automated solution (like a PowerShell script on start-up, or Systems Center Configuration Manager); I’m just using the regular MSI. Double-clicking on it doesn’t run the MSI as an Administrator. If you right-click and select Compatibility, you will note that the “Run this program as an administrator” is greyed out. I even tried running PowerShell as an Administrator and then running msiexec by hand (I got a very weird error when doing this).

Finally, I turned to our engineering team – after all, they must have tested this! It turns out they did, with the lowly cmd prompt. The best method on Windows Server 2012 (where cmd.exe is hidden) is to start up a PowerShell prompt running as Administrator, then run cmd.exe inside of the PowerShell prompt. Now you can just run that .msi file directly and the right thing will happen.

Of course, you will want to add on some command-line arguments. Mine are:

msiexec /i splunkforwarder.msi AGREETOLICENSE=Yes DEPLOYMENT_SERVER="DEPLOY:8089" LOGON_USERNAME="SPLK\splunk" LOGON_PASSWORD="xxxxxx" /quiet

Everything else will be defaulted, and it will look to a machine called DEPLOY on the local domain for the configuration. I configure “DEPLOY” as a CNAME in DNS on my local Active Directory domain controller.

I mentioned earlier that you can do this via PowerShell. I don’t like to install Splunk universal forwarders via Group Policy Software Installation for two reasons – firstly, it requires a reboot of the server which isn’t really required by the installer, and secondly, I have to produce a transforms file (or MST file) instead of providing just the command line arguments. Instead, I have a PowerShell script that I can run on each server that will install the Splunk Universal Forwarder if required. I get this to run as part of the start-up process. If I need to install Splunk on another server that is already running, I can do it without a reboot easily using the same script.

But that script – that’s another blog post in the works.

Posted by