I'm trying to allow my ISR 4331 to be able to send it's syslog to UDP port 42729 to my syslog server. I was able to get it to work if I allowed Self to Internet using match protocol of UDP. I would like to create a match access-group versus a match protocol to allow syslog port 42729 to send to syslog server 192.168.100.1. I would like the ZBF to be more specific versus just allowing UDP. I tried creating a match access-group for syslog but had no luck getting syslogs to show up on my syslog server. In the end I configured the match protocol UDP and it worked. Any ideas?
lass-map type inspect match-any SELF-POLICY
match protocol icmp
match protocol dns
match protocol ntp
match protocol udp
policy-map type inspect SELF-TO-INTERNET-POLICY
class type inspect SELF-POLICY
inspect
class class-default
drop
zone-pair security ZP-SELF-TO-INTERNET source self destination INTERNET
service-policy type inspect SELF-TO-INTERNET-POLICY