Problem solved!!!
The tip was found in Grokparsefailure, but works in grok debugger
The Logstash message was a bit different, it was:
200.155.87.165 - - [13/Apr/2017:11:00:33 -0300] "GET /ibhbagendamentoacao/compra.jsf?CTL=3178956819215030102050 HTTP/1.1" 200 38752 "https://www.hb.prebanco.com.br/ibhbagendamentoacao/acompanhamento.jsf?CTL=3178956819215030102050" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/7.0)" 247 0.247
And the proper regex become:
%{IPORHOST:clientip} %{USER:ident} %{USER:auth} [%{HTTPDATE:timestamp}] "%{WORD:verb} %{NOTSPACE:request} HTTP/%{NUMBER:httpversion}" %{NUMBER:response} %{NUMBER:bytes} %{QS:referer} %{QS:agent} %{NUMBER:microsecond:int} %{NUMBER:second:float}
See you.