Hello @O.Shulha,
Looking the regular expression you are using I think it's almost correct.
The pattern should be:
multiline.pattern: '^ncs:.*'
looking a the other errors which come from the elasticsearch output, I think its a mapping issues, and there is some work around and solution in Logstash errors after upgrading to filebeat-6.3.0
[2019-07-23T09:20:55,281][WARN ][logstash.outputs.elasticsearch] Could not index event to Elasticsearch. {:status=>400, :action=>["index", {:_id=>nil, :_index=>"logstash-syslog-2019.07.23", :_type=>"_doc", :routing=>nil}, #<LogStash::Event:0x6cde57c2>], :response=>{"index"=>{"_index"=>"logstash-syslog-2019.07.23", "_type"=>"_doc", "_id"=>"-sciHmwBv7eJVn6lOJd9", "status"=>400, "error"=>{"type"=>"mapper_parsing_exception", "reason"=>"failed to parse field [host] of type [text] in document with id '-sciHmwBv7eJVn6lOJd9'", "caused_by"=>{"type"=>"illegal_state_exception", "reason"=>"Can't get text on a START_OBJECT at 1:75"}}}}}