This goes with #3 but is different in that this would be a specific output only triggered by specific conditions that are entirely based on user defined configuration. The easiest way would be to use the outcome of #3, but this again means a very rigid system that means direct development for adding new alerting sinks.

The idea here would be to allow triggering an alert from the filter subsystem. This would allow users to configure arbitrary alerts based on event data.