https://zindilis.com/docs/apache-logs-to-remote-syslog.html

Rsyslog will filter syslog messages according to selected properties and actions. The rsyslog filters are as follows:

    Facility or Priority filers
    Property-based filters
    Expression-based filters

The facility filter is represented by the Linux internal subsystem that produces the logs. They are categorized as presented below:

    auth/authpriv = messages produced by authentication processes
    cron= logs related to cron tasks
    daemon = messages related to running system services
    kernel = Linux kernel messages
    mail = mail server messages
    syslog = messages related to syslog or other daemons (DHCP server sends logs here)
    lpr = printers or print server messages
    local0 - local7 = custom messages under administrator control

The priority or severity levels are assigned to a keyword and a number as described below.

    emerg = Emergency – 0
    alert = Alerts – 1
    err = Errors – 3
    warn = Warnings – 4
    notice = Notification – 5
    info = Information – 6
    debug = Debugging – 7 highest level

There are also some special Rsyslog keywords available such as the asterisk (*) sign to define all
facilities or priorities, the none keyword which specify no priorities, the equal sign (=) which selects only that priority and the exclamation sign (!) which negates a priority.

The action part of the syslog is represented by the destination statement. The destination of a log message can be a file stored in the file system, a file in /var/log/ system path, another local process input via a named pipe or FIFO. The log messages can be also directed to users, discarded to a black hole (/dev/null) or sent to stdout or to a remote syslog server via TCP/UDP protocol. The log messages can be also stored in a database, such as MySQL or PostgreSQL.