What Wireshark filter will show connections from a Snort machine to a Kiwi Syslog machine?

Filtering in Wireshark to see traffic between two hosts on a specific service means you lock the view to packets that are headed to the destination host on the service’s port. For a Snort machine sending to a Kiwi Syslog server, you want packets that go to the Kiwi Syslog machine’s IP on the syslog port. The syslog service typically listens on port 514, so by combining the destination IP with the destination port you precisely capture the relevant traffic: tcp.dstport == 514 && ip.dst == 192.168.0.150. Filtering by port alone would include traffic to port 514 from any host, and filtering by destination IP alone would include all protocols and ports to that host. If your environment uses UDP for syslog, you would use udp.dstport instead of tcp.dstport.