rsyslog: execute script on matching log event

You are looking for omprog.

module(load="omprog")
action(type="omprog"
       binary="/pathto/omprog.py --parm1=\"value 1\" --parm2=\"value2\"
       template="RSYSLOG_TraditionalFileFormat")

See the docs for more details: http://www.rsyslog.com/doc/v8-stable/configuration/modules/omprog.html

The following runs "hi.bash" for me if a message contains "hellothere"

:msg, regex, "hellothere" ^/usr/local/bin/hi.bash

According to the docs, it waits for it to finish, so although it works, I imagine it causes dropped events.

There's a way to send a Templated parameter, but I haven't played with it.

Maybe you should use something like http://www.logcheck.org/ instead of running your script for each security incident via rsyslog.