rsyslog: execute script on matching log event
You are looking for omprog.
module(load="omprog")
action(type="omprog"
binary="/pathto/omprog.py --parm1=\"value 1\" --parm2=\"value2\"
template="RSYSLOG_TraditionalFileFormat")
See the docs for more details: http://www.rsyslog.com/doc/v8-stable/configuration/modules/omprog.html
The following runs "hi.bash" for me if a message contains "hellothere"
:msg, regex, "hellothere" ^/usr/local/bin/hi.bash
According to the docs, it waits for it to finish, so although it works, I imagine it causes dropped events.
There's a way to send a Templated parameter, but I haven't played with it.
Maybe you should use something like http://www.logcheck.org/ instead of running your script for each security incident via rsyslog
.