Filtering specific cron messages from syslog with F5 11.6

I have a custom syslog filter which I am attempting to get the filter out cron messages with level info.

Example I wish to filter:

F5_NAME info crond[11244]: (syscheck) CMD (/usr/bin/system_check -q)

I want all other facilities info messages sent as normal.

Output of list /sys syslog all-properties:

sys syslog {
    auth-priv-from notice
    auth-priv-to emerg
    console-log enabled
    cron-from warning
    cron-to emerg
    daemon-from notice
    daemon-to emerg
    description none
    include "
    filter f_remote_loghost_level { 
        level(info..emerg);
    };
    filter f_remote_loghost_cron {
        not (facility(cron) and level(info));
    };
    filter f_ssl_acc_req {
        not (facility(local6) and level(info) and filter(f_httpd_ssl_acc)) and
        not (facility(local6) and level(info) and filter(f_httpd_ssl_req));
    };
    destination d_remote_loghost {
        udp(\"x.x.x.x\" port(514));
    };
    log {
        source(s_syslog_pipe);
        filter(f_remote_loghost_cron);
        filter(f_remote_loghost_level);
        filter(f_ssl_acc_req);
        destination(d_remote_loghost);
    };
    "
    iso-date disabled
    kern-from debug
    kern-to emerg
    local6-from notice
    local6-to emerg
    mail-from notice
    mail-to emerg
    messages-from notice
    messages-to warning
    remote-servers none
    user-log-from notice
    user-log-to emerg
}

This works is as far as debug is excluded as are f_httpd_ssl_acc and f_httpd_ssl_req. However I still get info level from facility cron. I have also tried filtering on facility as 'crond' from the message and also 'clock' which my syslog server reports as the facility.

My config above is based on these two articles:

K13333: Filtering log messages sent to remote syslog servers (11.x - 13.x)

K13317: Configuring the level of information that syslog-ng sends to log files (11.x - 12.x)

Can anyone point out what I am missing?