Morning...
I have created a custom log integration on some Windows servers to read the DNS debug logs. The logs get sent to a custom ingest pipeline which parses them into ECS and writes them to a data stream.
I have installed this integration on 6 of my domain controllers with no issues at all, and the logs get ingested fine, and show up in my kibana views etc. HOWEVER, I have reproduced the integration in a different Agent policy that is applied to 8 different DC boxes, and NO data appears in my indexes from these new 8 servers.
There are no obvious error messages in the Agent logs. The custom log definition in the Agent policy is exactly the same. In fact, I cloned the policy from the working Agents and applied the cloned policy to the new 8 DCs, and no luck in seeing any data.
My question is - how do I debug this. How can I determine if the Agent is even opening and reading the DNS logs? If they are, how can I determine if the logs are being sent to the ingest pipeline?
Thanks in advance
Ross