Without getting too technical, like bkyle said, you have to know what it is you want to focus on. I have a couple of rules setup for my firewalls. One that simply dumps everything to log files, and another that looks for specific messages (i.e. User logins, command inputs), when those message IDs are found an email is sent with a copy of the syslog message.
You can have Kiwi alert on things such as
- failed/successfull login attempts
- Configuration Changes
- Interface status changes
- Connections to/from specific IPs
I know all of mine seem to be geared more towards firewall equipment, but depending on what you're monitoring, you'll know whats important to you and what's not.