Alert for reciept of SYSLOG from a specific host

[mstannh]

We need to alert when a specific external rhel linux host (not a GRID host) forwards a SYSLOG event to the SO Forward node.
I have read the documentation and watched the video on PlayBook and it seems that creating a new Play is the way to go.
In the video detection example, a Windows event is used and in the detection selection section a specific EventID is used to trigger selection.
I used the Hunt module to review metadata for SYSLOG items that have been passed to the Forward Node. I did not see an EventID to incorporate in the new play.
Any suggestions as to which field(s) I should use?

Any comments are appreciated.
Thank you.

[defensivedepth]

What are the values for the event.module & event.dataset fields in one of the logs that you want to generate an alert for?