At some point you will need to create new rsyslog rules, and you will want to know what the rsyslog properties match to, here's the way to do it.
Create the file /etc/rsyslog.d/enableDebug.conf with the following content:
*.* /var/log/all.log;RSYSLOG_DebugFormat
This file will apply the RSYSLOG_DebugFormat template to all messages arriving at the rsyslog daemon, and write debug info to /var/log/all.log
Next, restart rsyslog daemon and check /var/log/all.log
You will find something like this where you can easily identify all properties:
Debug line with all properties:
FROMHOST: '10.11.1.2', fromhost-ip: '10.11.1.2', HOSTNAME: 'vnu-itp', PRI: 142,
syslogtag 'logger:', programname: 'logger', APP-NAME: 'logger', PROCID: '-', MSGID: '-',
TIMESTAMP: 'Aug 26 13:42:31', STRUCTURED-DATA: '-',
msg: ' 10.11.21.77 - - [26/Aug/2011:13:42:31 +0700] "GET /webmail/?_task=mail&_action=check-recent&_t=1314345048866&_list=1&_search=056f11e7f6181122079878bceacca04a&_remote=1&_=1314345048867&_unlock=1 HTTP/1.1" 200 164 "https://vnu-itp.edu.vn/webmail/?_task=mail" "Mozilla/5.0 (Windows NT 6.1; rv:6.0) Gecko/20100101 Firefox/6.0"'
escaped msg: ' 10.11.21.77 - - [26/Aug/2011:13:42:31 +0700] "GET /webmail/?_task=mail&_action=check-recent&_t=1314345048866&_list=1&_search=056f11e7f6181122079878bceacca04a&_remote=1&_=1314345048867&_unlock=1 HTTP/1.1" 200 164 "https://vnu-itp.edu.vn/webmail/?_task=mail" "Mozilla/5.0 (Windows NT 6.1; rv:6.0) Gecko/20100101 Firefox/6.0"'
rawmsg: '<142>Aug 26 13:42:31 vnu-itp logger: 10.11.21.77 - - [26/Aug/2011:13:42:31 +0700] "GET /webmail/?_task=mail&_action=check-recent&_t=1314345048866&_list=1&_search=056f11e7f6181122079878bceacca04a&_remote=1&_=1314345048867&_unlock=1 HTTP/1.1" 200 164 "https://vnu-itp.edu.vn/webmail/?_task=mail" "Mozilla/5.0 (Windows NT 6.1; rv:6.0) Gecko/20100101 Firefox/6.0"'
After correctly identifying the variables we will use to filter, we can create another .conf file in /etc/rsyslog.d/ with the necessary rules:
if $syslogfacility-test == 'local3' and $programname == 'tag1' then /var/log/tag1.log
& ~
& ~ means: discard this message after applying the filter, so no other rules can process this message.