cmd.exe /c ""N:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" cmd splunkd rest --noauth POST /services/apps/local/SplunkUniversalForwarder/enable >> "C:\Users\NINDSS~1\AppData\Local\Temp\splunk.log" 2>&1"
HTTP/1.1 200 OK
Date: Wed, 20 Mar 2019 13:20:54 GMT
Expires: Thu, 26 Oct 1978 00:00:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, max-age=0
Content-Type: text/xml; charset=UTF-8
X-Content-Type-Options: nosniff
Content-Length: 1930
Connection: Close
X-Frame-Options: SAMEORIGIN
Server: Splunkd
/services/apps/local
2019-03-20T09:20:54-04:00
<name>Splunk</name>
0
30
0
<s:msg type="INFO">Restart required by: default-mode, limits, server, web</s:msg>
DS init failed: Deployment Server not available on a dedicated forwarder.
9:20:54 AM
cmd.exe /c ""N:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" cmd splunkd rest --noauth POST /servicesNS/nobody/SplunkUniversalForwarder/data/outputs/tcp/server "name=165.112.254.26:9997" >> "C:\Users\NINDSS~1\AppData\Local\Temp\splunk.log" 2>&1"
HTTP/1.1 400 Bad Request
Date: Wed, 20 Mar 2019 13:20:54 GMT
Expires: Thu, 26 Oct 1978 00:00:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, max-age=0
Content-Type: text/xml; charset=UTF-8
X-Content-Type-Options: nosniff
Content-Length: 170
Connection: Close
X-Frame-Options: SAMEORIGIN
Server: Splunkd
<msg type="ERROR">165.112.254.26:9997 forwarded-server already present</msg>
DS init failed: Deployment Server not available on a dedicated forwarder.
9:20:54 AM
cmd.exe /c ""N:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" cmd splunkd uninstall >> "C:\Users\NINDSS~1\AppData\Local\Temp\splunk.log" 2>&1"
Removing service SplunkForwarder
Service removed
Disabled.
11:12:37 AM
cmd.exe /c ""N:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal first-time-run --answer-yes --no-prompt >> "C:\Users\NINDSS~1\AppData\Local\Temp\splunk.log" 2>&1"
This appears to be an upgrade of Splunk.
--------------------------------------------------------------------------------)
Splunk has detected an older version of Splunk installed on this machine. To
finish upgrading to the new version, Splunk's installer will automatically
update and alter your current configuration files. Deprecated configuration
files will be renamed with a .deprecated extension.
You can choose to preview the changes that will be made to your configuration
files before proceeding with the migration and upgrade:
If you want to migrate and upgrade without previewing the changes that will be
made to your existing configuration files, choose 'y'.
If you want to see what changes will be made before you proceed with the
upgrade, choose 'n'.
Perform migration and upgrade without previewing configuration changes? [y/n] y
Migrating to:
VERSION=7.2.5
BUILD=088f49762779
PRODUCT=splunk
PLATFORM=Windows-AMD64
It seems that the Splunk default certificates are being used. If certificate validation is turned on using the default certificates (not-recommended), this may result in loss of communication in mixed-version Splunk environments after upgrade.
"N:\Program Files\SplunkUniversalForwarder\etc\auth\ca.pem": already a renewed Splunk certificate: skipping renewal
"N:\Program Files\SplunkUniversalForwarder\etc\auth\cacert.pem": already a renewed Splunk certificate: skipping renewal
[App Key Value Store migration] Binary for service(34) is missing.
[App Key Value Store migration] Binary for service(34) is missing.
-- Migration information is being logged to 'N:\Program Files\SplunkUniversalForwarder\var\log\splunk\migration.log.2019-03-20.11-12-38' --
11:12:41 AM
cmd.exe /c ""N:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal pre-flight-checks --answer-yes --no-prompt >> "C:\Users\NINDSS~1\AppData\Local\Temp\splunk.log" 2>&1"
Checking conf files for problems...
Done
Checking default conf files for edits...
Validating installed files against hashes from 'N:\Program Files\SplunkUniversalForwarder\splunkforwarder-7.2.5-088f49762779-windows-64-manifest'
All installed files intact.
Done
11:12:45 AM
cmd.exe /c ""N:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" cmd splunkd install --startup=auto >> "C:\Users\NINDSS~1\AppData\Local\Temp\splunk.log" 2>&1"
Installing service SplunkForwarder
Service installed
11:12:46 AM
cmd.exe /c "icacls "N:\Program Files\SplunkUniversalForwarder\etc" /T /C /grant *S-1-5-32-544:f >> "C:\Users\NINDSS~1\AppData\Local\Temp\splunk.log" 2>&1"
processed file: N:\Program Files\SplunkUniversalForwarder\etc
processed file: N:\Program Files\SplunkUniversalForwarder\etc\apps
processed file: N:\Program Files\SplunkUniversalForwarder\etc\auth
processed file: N:\Program Files\SplunkUniversalForwarder\etc\copyright.txt
processed file: N:\Program Files\SplunkUniversalForwarder\etc\datetime.xml
processed file: N:\Program Files\SplunkUniversalForwarder\etc\deployment-apps
processed file: N:\Program Files\SplunkUniversalForwarder\etc\disabled-apps
processed file: N:\Program Files\SplunkUniversalForwarder\etc\licenses
processed file: N:\Program Files\SplunkUniversalForwarder\etc\log-btool-debug.cfg
processed file: N:\Program Files\SplunkUniversalForwarder\etc\log-btool.cfg
processed file: N:\Program Files\SplunkUniversalForwarder\etc\log-cmdline-debug.cfg
processed file: N:\Program Files\SplunkUniversalForwarder\etc\log-cmdline.cfg
processed file: N:\Program Files\SplunkUniversalForwarder\etc\log-debug.cfg
processed file: N:\Program Files\SplunkUniversalForwarder\etc\log-utility.cfg
processed file: N:\Program Files\SplunkUniversalForwarder\etc\log.cfg
processed file: N:\Program Files\SplunkUniversalForwarder\etc\modules
processed file: N:\Program Files\SplunkUniversalForwarder\etc\myinstall
processed file: N:\Program Files\SplunkUniversalForwarder\etc\passwd
processed file: N:\Program Files\SplunkUniversalForwarder\etc\prettyprint.xsl
processed file: N:\Program Files\SplunkUniversalForwarder\etc\shcluster
processed file: N:\Program Files\SplunkUniversalForwarder\etc\splunk-launch.conf
processed file: N:\Program Files\SplunkUniversalForwarder\etc\splunk-launch.conf.default
processed file: N:\Program Files\SplunkUniversalForwarder\etc\splunk.version
processed file: N:\Program Files\SplunkUniversalForwarder\etc\system
processed file: N:\Program Files\SplunkUniversalForwarder\etc\users
processed file: N:\Program Files\SplunkUniversalForwarder\etc\apps\introspection_generator_addon
processed file: N:\Program Files\SplunkUniversalForwarder\etc\apps\learned
processed file: N:\Program Files\SplunkUniversalForwarder\etc\apps\search
processed file: N:\Program Files\SplunkUniversalForwarder\etc\apps\SplunkUniversalForwarder
processed file: N:\Program Files\SplunkUniversalForwarder\etc\apps\splunk_httpinput
processed file: N:\Program Files\SplunkUniversalForwarder\etc\apps\introspection_generator_addon\bin
processed file: N:\Program Files\SplunkUniversalForwarder\etc\apps\introspection_generator_addon\default
processed file: N:\Program Files\SplunkUniversalForwarder\etc\apps\introspection_generator_addon\bin\collector.path
processed file: N:\Program Files\SplunkUniversalForwarder\etc\apps\introspection_generator_addon\default\app.conf
processed file: N:\Program Files\SplunkUniversalForwarder\etc\apps\introspection_generator_addon\default\inputs.conf
processed file: N:\Program Files\SplunkUniversalForwarder\etc\apps\introspection_generator_addon\default\README
processed file: N:\Program Files\SplunkUniversalForwarder\etc\apps\introspection_generator_addon\default\server.conf
processed file: N:\Program Files\SplunkUniversalForwarder\etc\apps\learned\default
processed file: N:\Program Files\SplunkUniversalForwarder\etc\apps\learned\metadata
processed file: N:\Program Files\SplunkUniversalForwarder\etc\apps\learned\default\README
processed file: N:\Program Files\SplunkUniversalForwarder\etc\apps\learned\metadata\default.meta
processed file: N:\Program Files\SplunkUniversalForwarder\etc\apps\search\default
processed file: N:\Program Files\SplunkUniversalForwarder\etc\apps\search\metadata
processed file: N:\Program Files\SplunkUniversalForwarder\etc\apps\search\default\app.conf
processed file: N:\Program Files\SplunkUniversalForwarder\etc\apps\search\default\inputs.conf
processed file: N:\Program Files\SplunkUniversalForwarder\etc\apps\search\default\props.conf
processed file: N:\Program Files\SplunkUniversalForwarder\etc\apps\search\default\restmap.conf
processed file: N:\Program Files\SplunkUniversalForwarder\etc\apps\search\default\transforms.conf
processed file: N:\Program Files\SplunkUniversalForwarder\etc\apps\search\metadata\default.meta
processed file: N:\Program Files\SplunkUniversalForwarder\etc\apps\SplunkUniversalForwarder\default
processed file: N:\Program Files\SplunkUniversalForwarder\etc\apps\SplunkUniversalForwarder\local
processed file: N:\Program Files\SplunkUniversalForwarder\etc\apps\SplunkUniversalForwarder\metadata
processed file: N:\Program Files\SplunkUniversalForwarder\etc\apps\SplunkUniversalForwarder\default\app.conf
processed file: N:\Program Files\SplunkUniversalForwarder\etc\apps\SplunkUniversalForwarder\default\default-mode.conf
processed file: N:\Program Files\SplunkUniversalForwarder\etc\apps\SplunkUniversalForwarder\default\inputs.conf
processed file: N:\Program Files\SplunkUniversalForwarder\etc\apps\SplunkUniversalForwarder\default\limits.conf
processed file: N:\Program Files\SplunkUniversalForwarder\etc\apps\SplunkUniversalForwarder\default\outputs.conf
processed file: N:\Program Files\SplunkUniversalForwarder\etc\apps\SplunkUniversalForwarder\default\props.conf
processed file: N:\Program Files\SplunkUniversalForwarder\etc\apps\SplunkUniversalForwarder\default\README
processed file: N:\Program Files\SplunkUniversalForwarder\etc\apps\SplunkUniversalForwarder\default\server.conf
processed file: N:\Program Files\SplunkUniversalForwarder\etc\apps\SplunkUniversalForwarder\default\web.conf
processed file: N:\Program Files\SplunkUniversalForwarder\etc\apps\SplunkUniversalForwarder\local\app.conf
processed file: N:\Program Files\SplunkUniversalForwarder\etc\apps\SplunkUniversalForwarder\metadata\default.meta
processed file: N:\Program Files\SplunkUniversalForwarder\etc\apps\SplunkUniversalForwarder\metadata\local.meta
processed file: N:\Program Files\SplunkUniversalForwarder\etc\apps\splunk_httpinput\default
processed file: N:\Program Files\SplunkUniversalForwarder\etc\apps\splunk_httpinput\default\inputs.conf
processed file: N:\Program Files\SplunkUniversalForwarder\etc\auth.rnd
processed file: N:\Program Files\SplunkUniversalForwarder\etc\auth\appsCA.pem
processed file: N:\Program Files\SplunkUniversalForwarder\etc\auth\appsLicenseCA.pem
processed file: N:\Program Files\SplunkUniversalForwarder\etc\auth\ca.pem
processed file: N:\Program Files\SplunkUniversalForwarder\etc\auth\ca.pem.default
processed file: N:\Program Files\SplunkUniversalForwarder\etc\auth\ca.srl
processed file: N:\Program Files\SplunkUniversalForwarder\etc\auth\cacert.pem
processed file: N:\Program Files\SplunkUniversalForwarder\etc\auth\cacert.pem.default
processed file: N:\Program Files\SplunkUniversalForwarder\etc\auth\cloudCA.pem
processed file: N:\Program Files\SplunkUniversalForwarder\etc\auth\crl
processed file: N:\Program Files\SplunkUniversalForwarder\etc\auth\prev_release
processed file: N:\Program Files\SplunkUniversalForwarder\etc\auth\server.pem
processed file: N:\Program Files\SplunkUniversalForwarder\etc\auth\splunk.secret
processed file: N:\Program Files\SplunkUniversalForwarder\etc\auth\crl\README
processed file: N:\Program Files\SplunkUniversalForwarder\etc\auth\prev_release\ca.pem.default
processed file: N:\Program Files\SplunkUniversalForwarder\etc\auth\prev_release\cacert.pem.default
processed file: N:\Program Files\SplunkUniversalForwarder\etc\deployment-apps\README
processed file: N:\Program Files\SplunkUniversalForwarder\etc\disabled-apps\README
processed file: N:\Program Files\SplunkUniversalForwarder\etc\licenses\forwarder
processed file: N:\Program Files\SplunkUniversalForwarder\etc\licenses\forwarder\splunkforwarder.lic
processed file: N:\Program Files\SplunkUniversalForwarder\etc\modules\input
processed file: N:\Program Files\SplunkUniversalForwarder\etc\modules\parsing
processed file: N:\Program Files\SplunkUniversalForwarder\etc\modules\input\exec
processed file: N:\Program Files\SplunkUniversalForwarder\etc\modules\input\fschangemanager
processed file: N:\Program Files\SplunkUniversalForwarder\etc\modules\input\RemoteQueue
processed file: N:\Program Files\SplunkUniversalForwarder\etc\modules\input\structuredparsing
processed file: N:\Program Files\SplunkUniversalForwarder\etc\modules\input\tailfile
processed file: N:\Program Files\SplunkUniversalForwarder\etc\modules\input\TCP
processed file: N:\Program Files\SplunkUniversalForwarder\etc\modules\input\UDP
processed file: N:\Program Files\SplunkUniversalForwarder\etc\modules\input\wineventlog
processed file: N:\Program Files\SplunkUniversalForwarder\etc\modules\input\winparsing
processed file: N:\Program Files\SplunkUniversalForwarder\etc\modules\input\exec\config.xml
processed file: N:\Program Files\SplunkUniversalForwarder\etc\modules\input\fschangemanager\config.xml
processed file: N:\Program Files\SplunkUniversalForwarder\etc\modules\input\RemoteQueue\config.xml
processed file: N:\Program Files\SplunkUniversalForwarder\etc\modules\input\structuredparsing\config.xml
processed file: N:\Program Files\SplunkUniversalForwarder\etc\modules\input\tailfile\config.xml
processed file: N:\Program Files\SplunkUniversalForwarder\etc\modules\input\TCP\config.xml
processed file: N:\Program Files\SplunkUniversalForwarder\etc\modules\input\UDP\config.xml
processed file: N:\Program Files\SplunkUniversalForwarder\etc\modules\input\wineventlog\config.xml
processed file: N:\Program Files\SplunkUniversalForwarder\etc\modules\input\winparsing\config.xml
processed file: N:\Program Files\SplunkUniversalForwarder\etc\modules\parsing\config.xml
processed file: N:\Program Files\SplunkUniversalForwarder\etc\myinstall\splunkd.xml
processed file: N:\Program Files\SplunkUniversalForwarder\etc\myinstall\splunkd.xml.cfg-default
processed file: N:\Program Files\SplunkUniversalForwarder\etc\shcluster\apps
processed file: N:\Program Files\SplunkUniversalForwarder\etc\shcluster\users
processed file: N:\Program Files\SplunkUniversalForwarder\etc\shcluster\apps\README
processed file: N:\Program Files\SplunkUniversalForwarder\etc\shcluster\users\README
processed file: N:\Program Files\SplunkUniversalForwarder\etc\system\bin
processed file: N:\Program Files\SplunkUniversalForwarder\etc\system\default
processed file: N:\Program Files\SplunkUniversalForwarder\etc\system\local
processed file: N:\Program Files\SplunkUniversalForwarder\etc\system\metadata
processed file: N:\Program Files\SplunkUniversalForwarder\etc\system\README
processed file: N:\Program Files\SplunkUniversalForwarder\etc\system\static
processed file: N:\Program Files\SplunkUniversalForwarder\etc\system\bin\admon.cmd
processed file: N:\Program Files\SplunkUniversalForwarder\etc\system\bin\MonitorNoHandle.cmd
processed file: N:\Program Files\SplunkUniversalForwarder\etc\system\bin\perfmon.cmd
processed file: N:\Program Files\SplunkUniversalForwarder\etc\system\bin\powershell.cmd
processed file: N:\Program Files\SplunkUniversalForwarder\etc\system\bin\powershell2.cmd
processed file: N:\Program Files\SplunkUniversalForwarder\etc\system\bin\winEventLog.cmd
processed file: N:\Program Files\SplunkUniversalForwarder\etc\system\bin\WinHostMon.cmd
processed file: N:\Program Files\SplunkUniversalForwarder\etc\system\bin\WinNetMon.cmd
processed file: N:\Program Files\SplunkUniversalForwarder\etc\system\bin\WinPrintMon.cmd
processed file: N:\Program Files\SplunkUniversalForwarder\etc\system\bin\WinRegMon.cmd
processed file: N:\Program Files\SplunkUniversalForwarder\etc\system\default\alert_actions.conf
processed file: N:\Program Files\SplunkUniversalForwarder\etc\system\default\app.conf
processed file: N:\Program Files\SplunkUniversalForwarder\etc\system\default\audit.conf
processed file: N:\Program Files\SplunkUniversalForwarder\etc\system\default\authentication.conf
processed file: N:\Program Files\SplunkUniversalForwarder\etc\system\default\authorize.conf
processed file: N:\Program Files\SplunkUniversalForwarder\etc\system\default\conf.conf
processed file: N:\Program Files\SplunkUniversalForwarder\etc\system\default\default-mode.conf
processed file: N:\Program Files\SplunkUniversalForwarder\etc\system\default\health.conf
processed file: N:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf
processed file: N:\Program Files\SplunkUniversalForwarder\etc\system\default\limits.conf
processed file: N:\Program Files\SplunkUniversalForwarder\etc\system\default\literals.conf
processed file: N:\Program Files\SplunkUniversalForwarder\etc\system\default\livetail.conf
processed file: N:\Program Files\SplunkUniversalForwarder\etc\system\default\messages.conf
processed file: N:\Program Files\SplunkUniversalForwarder\etc\system\default\outputs.conf
processed file: N:\Program Files\SplunkUniversalForwarder\etc\system\default\procmon-filters.conf
processed file: N:\Program Files\SplunkUniversalForwarder\etc\system\default\props.conf
processed file: N:\Program Files\SplunkUniversalForwarder\etc\system\default\restmap.conf
processed file: N:\Program Files\SplunkUniversalForwarder\etc\system\default\server.conf
processed file: N:\Program Files\SplunkUniversalForwarder\etc\system\default\source-classifier.conf
processed file: N:\Program Files\SplunkUniversalForwarder\etc\system\default\sourcetypes.conf
processed file: N:\Program Files\SplunkUniversalForwarder\etc\system\default\telemetry.conf
processed file: N:\Program Files\SplunkUniversalForwarder\etc\system\default\visualizations.conf
processed file: N:\Program Files\SplunkUniversalForwarder\etc\system\default\web.conf
processed file: N:\Program Files\SplunkUniversalForwarder\etc\system\default\workload_pools.conf
processed file: N:\Program Files\SplunkUniversalForwarder\etc\system\default\workload_rules.conf
processed file: N:\Program Files\SplunkUniversalForwarder\etc\system\local\authentication.conf
processed file: N:\Program Files\SplunkUniversalForwarder\etc\system\local\inputs.conf
processed file: N:\Program Files\SplunkUniversalForwarder\etc\system\local\migration.conf
processed file: N:\Program Files\SplunkUniversalForwarder\etc\system\local\outputs.conf
processed file: N:\Program Files\SplunkUniversalForwarder\etc\system\local\README
processed file: N:\Program Files\SplunkUniversalForwarder\etc\system\local\server.conf
processed file: N:\Program Files\SplunkUniversalForwarder\etc\system\local\user-seed.conf
processed file: N:\Program Files\SplunkUniversalForwarder\etc\system\metadata\default.meta
processed file: N:\Program Files\SplunkUniversalForwarder\etc\system\metadata\local.meta
processed file: N:\Program Files\SplunkUniversalForwarder\etc\system\README\alert_actions.conf.example
processed file: N:\Program Files\SplunkUniversalForwarder\etc\system\README\alert_actions.conf.spec
processed file: N:\Program Files\SplunkUniversalForwarder\etc\system\README\audit.conf.example
processed file: N:\Program Files\SplunkUniversalForwarder\etc\system\README\audit.conf.spec
processed file: N:\Program Files\SplunkUniversalForwarder\etc\system\README\authentication.conf.example
processed file: N:\Program Files\SplunkUniversalForwarder\etc\system\README\authentication.conf.spec
processed file: N:\Program Files\SplunkUniversalForwarder\etc\system\README\authorize.conf.example
processed file: N:\Program Files\SplunkUniversalForwarder\etc\system\README\authorize.conf.spec
processed file: N:\Program Files\SplunkUniversalForwarder\etc\system\README\checklist.conf.spec
processed file: N:\Program Files\SplunkUniversalForwarder\etc\system\README\collections.conf.example
processed file: N:\Program Files\SplunkUniversalForwarder\etc\system\README\collections.conf.spec
processed file: N:\Program Files\SplunkUniversalForwarder\etc\system\README\conf_checker.rules
processed file: N:\Program Files\SplunkUniversalForwarder\etc\system\README\default-mode.conf.examples
processed file: N:\Program Files\SplunkUniversalForwarder\etc\system\README\default-mode.conf.spec
processed file: N:\Program Files\SplunkUniversalForwarder\etc\system\README\default.meta.example
processed file: N:\Program Files\SplunkUniversalForwarder\etc\system\README\default.meta.spec
processed file: N:\Program Files\SplunkUniversalForwarder\etc\system\README\deploymentclient.conf.example
processed file: N:\Program Files\SplunkUniversalForwarder\etc\system\README\deploymentclient.conf.spec
processed file: N:\Program Files\SplunkUniversalForwarder\etc\system\README\health.conf.example
processed file: N:\Program Files\SplunkUniversalForwarder\etc\system\README\health.conf.spec
processed file: N:\Program Files\SplunkUniversalForwarder\etc\system\README\inputs.conf.example
processed file: N:\Program Files\SplunkUniversalForwarder\etc\system\README\inputs.conf.spec
processed file: N:\Program Files\SplunkUniversalForwarder\etc\system\README\instance.cfg.example
processed file: N:\Program Files\SplunkUniversalForwarder\etc\system\README\instance.cfg.spec
processed file: N:\Program Files\SplunkUniversalForwarder\etc\system\README\limits.conf.example
processed file: N:\Program Files\SplunkUniversalForwarder\etc\system\README\limits.conf.spec
processed file: N:\Program Files\SplunkUniversalForwarder\etc\system\README\literals.conf.example
processed file: N:\Program Files\SplunkUniversalForwarder\etc\system\README\literals.conf.spec
processed file: N:\Program Files\SplunkUniversalForwarder\etc\system\README\livetail.conf.examples
processed file: N:\Program Files\SplunkUniversalForwarder\etc\system\README\livetail.conf.spec
processed file: N:\Program Files\SplunkUniversalForwarder\etc\system\README\messages.conf.example
processed file: N:\Program Files\SplunkUniversalForwarder\etc\system\README\messages.conf.spec
processed file: N:\Program Files\SplunkUniversalForwarder\etc\system\README\migration.conf.spec
processed file: N:\Program Files\SplunkUniversalForwarder\etc\system\README\outputs.conf.example
processed file: N:\Program Files\SplunkUniversalForwarder\etc\system\README\outputs.conf.spec
processed file: N:\Program Files\SplunkUniversalForwarder\etc\system\README\passwords.conf.example
processed file: N:\Program Files\SplunkUniversalForwarder\etc\system\README\passwords.conf.spec
processed file: N:\Program Files\SplunkUniversalForwarder\etc\system\README\procmon-filters.conf.example
processed file: N:\Program Files\SplunkUniversalForwarder\etc\system\README\procmon-filters.conf.spec
processed file: N:\Program Files\SplunkUniversalForwarder\etc\system\README\props.conf.example
processed file: N:\Program Files\SplunkUniversalForwarder\etc\system\README\props.conf.spec
processed file: N:\Program Files\SplunkUniversalForwarder\etc\system\README\restmap.conf.example
processed file: N:\Program Files\SplunkUniversalForwarder\etc\system\README\restmap.conf.spec
processed file: N:\Program Files\SplunkUniversalForwarder\etc\system\README\server.conf.example
processed file: N:\Program Files\SplunkUniversalForwarder\etc\system\README\server.conf.spec
processed file: N:\Program Files\SplunkUniversalForwarder\etc\system\README\serverclass.seed.xml.example
processed file: N:\Program Files\SplunkUniversalForwarder\etc\system\README\source-classifier.conf.example
processed file: N:\Program Files\SplunkUniversalForwarder\etc\system\README\source-classifier.conf.spec
processed file: N:\Program Files\SplunkUniversalForwarder\etc\system\README\sourcetypes.conf.example
processed file: N:\Program Files\SplunkUniversalForwarder\etc\system\README\sourcetypes.conf.spec
processed file: N:\Program Files\SplunkUniversalForwarder\etc\system\README\splunk-launch.conf.spec
processed file: N:\Program Files\SplunkUniversalForwarder\etc\system\README\user-prefs.conf.example
processed file: N:\Program Files\SplunkUniversalForwarder\etc\system\README\user-prefs.conf.spec
processed file: N:\Program Files\SplunkUniversalForwarder\etc\system\README\user-seed.conf.example
processed file: N:\Program Files\SplunkUniversalForwarder\etc\system\README\user-seed.conf.spec
processed file: N:\Program Files\SplunkUniversalForwarder\etc\system\README\visualizations.conf.spec
processed file: N:\Program Files\SplunkUniversalForwarder\etc\system\README\web.conf.example
processed file: N:\Program Files\SplunkUniversalForwarder\etc\system\README\web.conf.spec
processed file: N:\Program Files\SplunkUniversalForwarder\etc\system\README\wmi.conf.example
processed file: N:\Program Files\SplunkUniversalForwarder\etc\system\README\wmi.conf.spec
processed file: N:\Program Files\SplunkUniversalForwarder\etc\system\README\workload_pools.conf.example
processed file: N:\Program Files\SplunkUniversalForwarder\etc\system\README\workload_pools.conf.spec
processed file: N:\Program Files\SplunkUniversalForwarder\etc\system\README\workload_rules.conf.example
processed file: N:\Program Files\SplunkUniversalForwarder\etc\system\README\workload_rules.conf.spec
processed file: N:\Program Files\SplunkUniversalForwarder\etc\system\static\atom.xsl
processed file: N:\Program Files\SplunkUniversalForwarder\etc\system\static\splunkrc_cmds.xml
processed file: N:\Program Files\SplunkUniversalForwarder\etc\users\users.ini
Successfully processed 230 files; Failed processing 0 files
11:12:46 AM
cmd.exe /c "icacls "N:\Program Files\SplunkUniversalForwarder\var" /T /C /grant *S-1-5-32-544:f >> "C:\Users\NINDSS~1\AppData\Local\Temp\splunk.log" 2>&1"
processed file: N:\Program Files\SplunkUniversalForwarder\var
processed file: N:\Program Files\SplunkUniversalForwarder\var\lib
processed file: N:\Program Files\SplunkUniversalForwarder\var\log
processed file: N:\Program Files\SplunkUniversalForwarder\var\run
processed file: N:\Program Files\SplunkUniversalForwarder\var\spool
processed file: N:\Program Files\SplunkUniversalForwarder\var\lib\splunk
processed file: N:\Program Files\SplunkUniversalForwarder\var\lib\splunk\authDb
processed file: N:\Program Files\SplunkUniversalForwarder\var\lib\splunk\fishbucket
processed file: N:\Program Files\SplunkUniversalForwarder\var\lib\splunk\hashDb
processed file: N:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs
processed file: N:\Program Files\SplunkUniversalForwarder\var\lib\splunk\persistentstorage
processed file: N:\Program Files\SplunkUniversalForwarder\var\lib\splunk\fishbucket\rawdata
processed file: N:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog
processed file: N:\Program Files\SplunkUniversalForwarder\var\lib\splunk\persistentstorage\audit
processed file: N:\Program Files\SplunkUniversalForwarder\var\log\introspection
processed file: N:\Program Files\SplunkUniversalForwarder\var\log\splunk
processed file: N:\Program Files\SplunkUniversalForwarder\var\log\watchdog
processed file: N:\Program Files\SplunkUniversalForwarder\var\log\splunk\btool.log
processed file: N:\Program Files\SplunkUniversalForwarder\var\log\splunk\first_install.log
processed file: N:\Program Files\SplunkUniversalForwarder\var\log\splunk\migration.log.2019-03-20.09-01-52
processed file: N:\Program Files\SplunkUniversalForwarder\var\log\splunk\migration.log.2019-03-20.09-20-44
processed file: N:\Program Files\SplunkUniversalForwarder\var\log\splunk\migration.log.2019-03-20.11-12-38
processed file: N:\Program Files\SplunkUniversalForwarder\var\log\splunk\splunkd-utility.log
processed file: N:\Program Files\SplunkUniversalForwarder\var\run.rnd
processed file: N:\Program Files\SplunkUniversalForwarder\var\run\splunk
processed file: N:\Program Files\SplunkUniversalForwarder\var\run\splunk\appserver
processed file: N:\Program Files\SplunkUniversalForwarder\var\run\splunk\cachemanager_upload.json
processed file: N:\Program Files\SplunkUniversalForwarder\var\run\splunk\composite.xml
processed file: N:\Program Files\SplunkUniversalForwarder\var\run\splunk\upload
processed file: N:\Program Files\SplunkUniversalForwarder\var\run\splunk\appserver\i18n
processed file: N:\Program Files\SplunkUniversalForwarder\var\run\splunk\appserver\modules
processed file: N:\Program Files\SplunkUniversalForwarder\var\run\splunk\appserver\modules\static
processed file: N:\Program Files\SplunkUniversalForwarder\var\run\splunk\appserver\modules\static\css
processed file: N:\Program Files\SplunkUniversalForwarder\var\spool\dirmoncache
processed file: N:\Program Files\SplunkUniversalForwarder\var\spool\splunk
Successfully processed 35 files; Failed processing 0 files
11:12:46 AM
cmd.exe /c ""N:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" cmd splunkd rest --noauth POST /services/apps/local/SplunkUniversalForwarder/enable >> "C:\Users\NINDSS~1\AppData\Local\Temp\splunk.log" 2>&1"
HTTP/1.1 200 OK
Date: Wed, 20 Mar 2019 15:12:48 GMT
Expires: Thu, 26 Oct 1978 00:00:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, max-age=0
Content-Type: text/xml; charset=UTF-8
X-Content-Type-Options: nosniff
Content-Length: 1930
Connection: Close
X-Frame-Options: SAMEORIGIN
Server: Splunkd
/services/apps/local
2019-03-20T11:12:48-04:00
<name>Splunk</name>
0
30
0
<s:msg type="INFO">Restart required by: default-mode, limits, server, web</s:msg>
DS init failed: Deployment Server not available on a dedicated forwarder.
11:12:48 AM
cmd.exe /c ""N:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" cmd splunkd rest --noauth POST /servicesNS/nobody/SplunkUniversalForwarder/data/outputs/tcp/server "name=165.112.254.26:9997" >> "C:\Users\NINDSS~1\AppData\Local\Temp\splunk.log" 2>&1"
HTTP/1.1 400 Bad Request
Date: Wed, 20 Mar 2019 15:12:48 GMT
Expires: Thu, 26 Oct 1978 00:00:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, max-age=0
Content-Type: text/xml; charset=UTF-8
X-Content-Type-Options: nosniff
Content-Length: 170
Connection: Close
X-Frame-Options: SAMEORIGIN
Server: Splunkd
<msg type="ERROR">165.112.254.26:9997 forwarded-server already present</msg>
DS init failed: Deployment Server not available on a dedicated forwarder.
11:12:48 AM
cmd.exe /c ""N:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" cmd splunkd uninstall >> "C:\Users\NINDSS~1\AppData\Local\Temp\splunk.log" 2>&1"
Removing service SplunkForwarder
Service removed
Disabled.
... View more