I am trying to run a script every time an error is found in logs Module xm_exec Module im_file File "/home/rafal/gitprojects/mst-sender/hub.cloudradar-error.log" if $raw_event =~ /(\S+)\ (.+) \[ERROR (.+)/ { exec_async("/bin/sh", "/home/rafal/gitprojects/mst-sender/run.sh"); } From the documentation it looks like it should exec async if regex matches but I am seeing only the following log WARNING not starting unused module in and the script is not executed. I don't need to output it, only run that script. I added a route but this aint helping too Module om_null # Basic route Path in => out1 I created another config file as follows just to log a warning but again its not getting executed define ACTION { log_warning("dropping message"); drop(); } Module xm_exec Module im_file File 'D:\mst-sender\hub.cloudradar-error.log' Exec if $raw_event =~ /ERROR/ %ACTION% Module om_null # Basic route Path in => out1 and here is my config file 04/Apr/2020:20:55:33 +0000 [ERROR 0 /hub.cloudradar.php] PHP message: PHP Notice: Indirect modification of overloaded element of Silex\Application has no effect in /var/www/hub/src/app.php on line 96 04/Apr/2020:20:55:33 +0000 [ERROR 0 /hub.cloudradar.php] PHP message: PHP Notice: Indirect modification of overloaded element of Silex\Application has no effect in /var/www/hub/src/app.php on line 96 **UPDATE** I found the problem. It's a silly mistake of mine You need to **make changes** in the log file to see the log lines being parsed.