I am successfully collecting DNS logs from some domain controllers, but I noticed the Distributed Forwarder Management isn't working how I intended. All of my clients are falling under the 'defaultgroup'. I have a group called 'infradns' configured with a regex rule of 'infradns'
My inputs.conf on my domain controllers looks like this:
Have you tried removing the infradns from the streamforwarder_id stanza in the inputs.conf?
Then restart the client instance. Go to the Distributed group you made in the Stream app and see if it appears in your available client regex area?