I am trying to get syslog-ng 1.6.0rc3 to run a program as soon as it receives a message that matches a specific string, but I am having a few problems. My syslog-ng.conf file has the following set up: options { sync (0); time_reopen (10); log_fifo_size (1000); long_hostnames (off); use_dns (yes); use_fqdn (no); create_dirs (yes); keep_hostname (yes); }; source s_sys { sun-streams ("/dev/log" door("/etc/.syslog_door")); internal(); }; source s_udp { udp(); }; source s_tcp { tcp(); }; destination d_prog { program("/path/to/program.pl" template("$HOST,$MSG\n")); }; filter f_fetch { level(notice) and match("MATHC_STRING"); }; log {source(s_sys); source(s_udp); source(s_tcp); filter(f_fetch); destination(d_prog); }; My first question is an easy one. My perl program has the form: while ($line=<>) { ... } Is this correct? When syslog-ng forks my perl script, can I assum that STDIN is always open or should my script have a form like so? while (1) { $line=<>; ... } My second question has to do with when the perl script is run. It looks like syslog-ng waits for either several log messages or gets a SIGTERM (or similar) before it runs the program. I would like for this to happen in real time. The only option I see that might change the timimg of when the program is run is log_fifo_size. But since I have to use a production system that collects over 20K log messages/day for development (yes, this is bad), I would like to know if I'm on the right track before I change anything. Any info would be helpful. Thanks. Aaron