It is best to only change $umask once and use $FileCreateMode instead to change the mode.
Add the $umask near the top of the configuration file, such as at the top of the GLOBAL DIRECTIVES section of /etc/rsyslog.conf. Make sure it is set before any $IncludeConfig directives. Use $umask 0022 to stop files from being able to be written to by anyone, or $umask 0000 to remove all restrictions for $FileCreateMode.
Set $FileCreateMode right before the rule that creates the file. It might look something like shown below.
# The authpriv file has restricted access.
For the sake of simplicity, $umask can be ignored entirely, and $FileCreateMode can be used instead to control all file permissions. Set $umask to 0000 at the start of rsyslog.conf and then use $FileCreateMode as needed.
You can use the $FileCreateMode directive more than once. If you do this, the new value will be used until you find another $FileCreateMode or reach the end of the configuration.
If $umask is set more than once in the configuration file, the results may not be what you expect. It is best to only mention it once.