For example,  if a certain threshold of messages happens in a time window,  send an alert. LIke suppress () but more general actions.

Or if a specific event happens,  send *.debug from that system for 5 minutes.

Or run a program to collect system data and send it along based on some condition. 

Not thinking SIEM functionality here, but maybe allow the log servers to be more dynamic around what actions they take for basic things. 

Thoughts?

Thanks.

Jim