Conseguiu descobrir.
# Apache access file:
$InputFileName /var/log/apache2/access.log
$InputFileTag apache-access:
$InputFileStateFile stat-apache-access
#$InputFileSeverity crit
$InputFilePersistStateInterval 20000
if $programname == "apache-access" then {
#if ($msg contains " 500 ") then $InputFileSeverity error
if ($msg contains " 500 ") then $InputFileSeverity info
action(type="ommysql" server="127.0.0.1" serverport="3306" db="Syslog" uid="rsyslog" pwd="somepasswd")
stop
}
$InputRunFileMonitor
Coloque o $InputRunFileMonitor
após o condicional e ele funciona.