1) PrivDropTo doesn't need to match $File. Certainly not for the group. But PrivDropToUser should be able to read files created by FileOwner. Else, rsyslog can't read the files it creates.
2) syslog:adm is fine. The group doesn't matter so much. adm is the recommended group for system log files.
3) Yes, adm is for read-only access to system files.
4) No, syslog doesn't need to be in adm.
1) PrivDropTo doesn't need to match $File. Certainly not for the group. But PrivDropToUser should be able to read files created by FileOwner. Else, rsyslog can't read the files it creates.
2) syslog:adm is fine. The group doesn't matter so much. adm is the recommended group for system log files.
3) Yes, adm is for read-only access to system files.
4) No, syslog doesn't need to be in adm.