Henrik,
Well, may be, we could look at logcheck project. http://logcheck.org . I installed it once and the idea was nice. Every log message was considered as alerts until you create the regexp to ignore it. So, of course, the first days, we would get a lot of alerts on msgs until the database has all the common regular expression. It would be called the "learning time". The nice thing is : if one day, new unknown messages is sent by a client, we are sure to get an alert until we add it to the regexp database.
So, the knowledge database could of course contain include to be able to have some special regulars databases depending the os, the group, the host or the application type to be able to organize clearly the regexp database. All regexp entries in the database would include the alert type and help notes to understand alerts as you all said.
To get configuration from the hobbit server, I think the actual protocol would may be need an extra word :
The actual config message is sent from the client to the hobbit server with only one argument the filename :
Config <filename>
I think for the future, it will be easyer if you implement config message like this :
Config <filename> <hostname>
(sorry for the bad English)
-- Etienne