I'm still getting stuff on nmsloghost that I think should be filtered out.

Do my comments match the conf file ?

# Source UDP/TCP syslog port 514.

source s_net {

udp(ip(0.0.0.0) port(514) so_rcvbuf(262142));

tcp(ip(0.0.0.0) port(514) max-connections(250) so_rcvbuf(262142) log_iw_size(25000) );

};

# Remove messages from 2 network segments

filter f_network {not netmask("192.168.238.0/24") and not netmask("192.168.239.0/24") ; };

# Remove messages matching EITHER expression

filter f_audit { not match("Audit" value("MESSAGE")) and

not match("Detailed Tracking" value("MESSAGE")); };

# Remove messages matching "The scan found detections" expression

filter f_mcafee { not match("The scan found detections." value("MESSAGE")); };

# Destination rule suppress any duplicates in a 10 second window.
destination d_remote {udp ("nmsloghost" suppress(10)); };

# Log from s_net and filter out all matches from f_* log udp to nmsloghost.

# There is no function to "filter( not f_network);"

log { source(s_net);

filter(f_network); filter(f_audit); filter(f_mcafee); destination (d_remote);