IMO, syslog is important enough that it is worthwhile to have
filtering mechanisms that actually work for syslog.
Generalized filters sound great, but if they are impossible
to use for the most common application (syslog/RAW), then
they are mostly irrelevant. Telling all the vendors "Hey, I have a
really cool XML tool, so if you could re-design and re-code
15,000 or so syslog messages to output an XML subtree instead of text,
well, that would be great."
I suggest coming up with a transition plan, because it will
be about a decade before you get to use your fancy XML tools on
notification content.