1325521875.165 93 127.0.0.1 TCP_MISS/302 667 GET http://www.google.co.uk/sorry/?continue=http://www.google.co.uk/search%3Fq%3Just+an+axample - ROUNDROBIN_PARENT/proxy_218 text/html

my @cutoff = grep /proxy_/,@_;
s/ROUNDROBIN_PARENT\///g for @cutoff;
@cutoff = grep /@cutoff/,@cfg;
[download]

cache_peer 111.222.121.1 parent 60099 0 no-query no-digest originserver name=proxy_218 round-robin login=login:pass connect-timeout=3

cache_peer_access proxy_218 allow all

# ./MY__SCRIPT.pl 1325521875.165 93 127.0.0.1 TCP_MISS/302 667 GET http://www.google.co.uk/sorry/?continue=http://www.google.co.uk/search%3Fq%3Just+an+axample - ROUNDROBIN_PARENT/proxy_218 text/html

Your main problem is that you need to split the line you're passing to ban()

    m|/sorry/| && ban(split ' ', $_);
[download]

With that input, your above three lines would start to make some sense.

Thing is that, in contrast to command line arguments, a string you pass as one parameter to a subroutine is not automatically split.  I.e., when you say on the command line

# ./script.pl foo bar baz
[download]

you get the three words "foo", "bar", "baz" as separate elements in the array @ARGV (which I suppose you were using in the working command line version in place of @_). This is because the shell splits the command line on whitespace, before the arguments are placed in @ARGV.

OTOH, when you pass "foo bar baz" as a single string to a subroutine, it is left as is, so the array @_ holds one element, which is the entire string.  In other words, after your grep for /proxy_/, you still have the entire string in @cutoff — and the rest of the code stops working...

That said, you could also leave your ban($_) call as is, and simply extract the relevant part of the string with a regex capture:

sub ban {
    my $line = shift;
    ...

    my ($proxy) = $line =~ m| - \S+/(proxy_\S+)|;
    my @cutoff = grep /$proxy/, @cfg;
    ...
[download]

Thank you for all your efforts, it seems we've almost got it working. But there is one thing that bothers me now: Script works correct, but only once. It can detect one event and even handle it correctly, but if second event occurs, it doubles ( it writes a second copy of the squid.conf to the same file) squd.conf and grey.list files, and squid quits with an error. The weird thing that filehandles are open for a writing and not for appending, it means that any content should be rewritten with the new one. So I think the problem is in @cfg array, it's getting doubled somehow.

#!/usr/bin/perl
# Squid reconfiguration script rev: 0.91
#
use File::Tail;
sub ban {
open( CFG, "<", "/etc/squid/squid.conf" );
    while ( <CFG> ) {
    push @cfg, $_;
    }
close(CFG);
#my $line = shift;
#my ($proxy) = $line =~ m| - \S+/(proxy_\S+)|;
#my @cutoff = grep /$proxy/, @cfg;

my @cutoff = grep /proxy_/,@_;
s/ROUNDROBIN_PARENT\///g for @cutoff;
@cutoff = grep /@cutoff/,@cfg;


open( GREY, ">>", "/etc/squid/all.grey" );
if (@cutoff) {
            print GREY @cutoff;
            print GREY "10\n";
}
close (GREY);

print "Banned parrent: @cutoff\n";
print " Strings with parrent in conf: @cutoff\n";

open( EXC, ">", "/etc/squid/squid.conf" );
my %dels = map { $_ => 1 } @cutoff;
@cfg = grep !$dels{$_}, @cfg;
print EXC @cfg;
close (EXC);
@args = ("/etc/init.d/squid", "reload");
system(@args) == 0 or die "system @args failed: $?" ;
}

my $name = "/var/log/squid/access.log";
my $ref=tie *FH,"File::Tail",(name=>$name, maxinterval=>1);
     while (<FH>) {
        m|/sorry/| && ban (split ' ',$_);

}
[download]