If you really need to intercept events in realtime logs, then you can come up with one way, though very perverted and wasteful. You need to configure the sending of Syslog logs to the local address of the router, in the firewall rules in the chain, create a rule that will intercept the desired message with logs (by the Content field) and create a dynamic address-list entry, and in the scheduler check for the presence of such an entry and, when it appears, do some action.
Concept config that monitors the appearance in the log of the "testtest" line sent from some script or command line (firewall rules must be before the rule that allows established + related traffic):

# создаем интерфейс, на который можно повесить ip-адрес
/interface bridge add name=logging-bridge
# создаем локальный ip-адрес, на который будем слать Syslog
/ip address add address=127.0.0.2 interface=logging-bridge
# прописываем Syslog-сервер, на который будут отправляться логи
/system logging action add name=remote2logwarch remote=127.0.0.2 target=remote
# задаем отправку логов ни этот сервер, в topics прописываем нужные разделы вместо script
/system logging add action=remote2logwarch topics=script
# создаем правило, которое создает запись в address-list при наличии нужной подстроки в полученном syslog-пакете
/ip firewall filter add action=add-src-to-address-list address-list=_logwatch_testtest address-list-timeout=1m chain=input content=testtest dst-address=127.0.0.2 dst-port=514 protocol=udp
# создаем шедулер, который проверяет наличие нужной записи в address-list и выполняет какие-либо действия
/system scheduler add interval=1s name=logwatch_testtest_1sec on-event=":if [ /ip firewall address-list find where dynamic && list=\"_logwatch_testtest\" ] do={ /ip firewall address-list remove [find dynamic && list=\"_logwatch_testtest\"]; /log info \"log entry catched!\" }\r\n" policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon start-date=jan/01/2021 start-time=00:00:00