I've looked through the guides (though I may have missed or forgotten some salient point). Or read them too late in the day when my brain wasn't engaged anymore .
How about this: When it applies a set of filters like: "Must Not Contain String X, AND Must Contain String Y" how is it evaluating those against the config file? Does it process the entire config for filter 1, then again for filter 2? I get how a single long regex is applied, it's when there are two different strings or regexs applied that I'm not sure how they all tie into each other.
In the case of this thread, why does the set of three "Not Contains" and one "Must Contain" only appear to work when the "Must Contain" is the last line of the block?. When it reads the four lines of logging hosts in the config, if the second line is an unexpected logging host, then that line does not contain any of the "Must Not Contain" matches, but it does match the "Must Contain" filter. Yet, it does not trigger the alert. At least, it has not with the various IPs I've tested it with.