We are trying to deploy event log monitoring in a way that is manageable. What I really need to do this is to be able to use macros in the include/exclude section.
for example:
my windows systems team is only interested in some of the errors that come through the application log. With how we are deploying, this needs to be added to the exclude in every template applied to a system.
unfortunately, they have to override the main template to exclude the items they too are interested in for that system/app in other component checks in the same template (like critical and warning categories) thus I cannot apply to main template and be good.
I now have to touch every event log template when the systems team decides to add something that "they own and are interested in" so it doesn't show up for the app teams.
exclude section example (assumes have user built table "custom_eventlog"):
${custom_eventlog.win_exclude}|${custom_eventlog.app1_warn_include}|${custom_eventlog.app1_crit_include}
this would allow me to report on any event errors that passed through these previously identified filters and ensure we don't miss something critical.