How to add more than one paramter for filter

filter {
if [type] == "access" {
grok {
match => { "message" => "%{IPV4:ip} (?(msg "[A-Za-z ]+))" }
}
}
}

how to make it work. No matching is being done here for cause filed,

What's this "parameter" you're talking about? What cause field? Perhaps giving an example would make it easier to understand what you want to accomplish.

This is my log.

[Tue Sep 04 11:02:41.131421 2018] [:error] [pid 1676:tid 140286281889536] [client 192.168.1.3:56294] [client 192.168.1.3] ModSecurity: Warning. Pattern match "^[\\d.:]+$" at REQUEST_HEADERS:Host. [file "/usr/share/modsecurity-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "792"] [id "920350"] [msg "Host header is a numeric IP address"] [data "192.168.1.12"] [severity "WARNING"] [ver "OWASP_CRS/3.1.0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag "OWASP_CRS/PROTOCOL_VIOLATION/IP_HOST"] [tag "WASCTC/WASC-21"] [tag "OWASP_TOP_10/A7"] [tag "PCI/6.5.10"] [hostname "192.168.1.12"] [uri "/icons/openlogo-75.png"] [unique_id "W44Y@X8AAQEAAAaMruMAAAAH"], referer: http://192.168.1.12/

(?((?<=msg ").[A-Za-z ]+)) %{IPV4:clientip}

So i am trying the above expression.
If they are given separate in grok debugger it works but when combining it shows "Provided Grok patterns do not match data in the input"

Okay, but what's the goal? You just want to extract the client IP address?

ip address and msg field..

\[msg %{QS:msg}\] \[data "%{IP:clientip}"\]

filter {
if [type] == "access" {
grok {
match => { "message" => "[msg %{QS:msg}] [data "%{IP:clientip}"]" }
}

}
}

can i use like this.

Yes, that's how grok expressions are used.

input {
  beats {
    port => 5443
    type => access
  }
}

filter {
  if [type] == "access" {
        grok {
        match => { "message" => "[msg %{QS:msg}] [data "%{IP:clientip}"]" }
        }
  }
}

output {
  elasticsearch { hosts => ["192.168.1.4:9200"]
    hosts => "192.168.1.4:9200"
    manage_template => false
  }
}

This my configuration file.

and am getting grokparsefailure on kibana.

I asked for two things in the other thread and you've only provided one of them.

Also, always post configuration as preformatted text. Use markdown notation or the </> toolbar button. Unless you do this your configuration may get mangled as you post it.

from now own i will keep that in mind.

Configuration is there and am verifying output in kibana and it showing grokparsefailure

match => { "message" => "[msg %{QS:msg}] [data "%{IP:clientip}"]" }

This isn't valid syntax so I don't think this really is what your configuration looks like. In particular, I think you have a few backslashes in there.

Configuration is there and am verifying output in kibana and it showing grokparsefailure

Please show an example event, e.g. by copying from Kibana's JSON tab.

Sorry this configuration doesn't make any output.

works and gives me the ip. but i want to add more fields for msg and severity.
When i try to do that its giving the desired output.
Sometimes grokparsefailure other times no output.

and 1 more thing i forgot to mention input and filter and output are in different configuration files.

If you don't provide what I ask for I won't be able to help.

{
  "_index": "logstash-2018.09.06",
  "_type": "doc",
  "_id": "BxsBrmUBBMpmok0jOS_H",
  "_version": 1,
  "_score": null,
  "_source": {
    "prospector": {
      "type": "log"
    },
    "message": "[Thu Sep 06 14:00:28.444298 2018] [:error] [pid 16662:tid 139672042850048] [client 192.168.1.3:54909] [client 192.168.1.3] ModSecurity: Warning. Pattern match \"^[\\\\\\\\d.:]+$\" at REQUEST_HEADERS:Host. [file \"/usr/share/modsecurity-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf\"] [line \"810\"] [id \"920350\"] [rev \"2\"] [msg \"Host header is a numeric IP address\"] [data \"192.168.1.4\"] [severity \"WARNING\"] [ver \"OWASP_CRS/3.0.0\"] [maturity \"9\"] [accuracy \"9\"] [tag \"application-multi\"] [tag \"language-multi\"] [tag \"platform-multi\"] [tag \"attack-protocol\"] [tag \"OWASP_CRS/PROTOCOL_VIOLATION/IP_HOST\"] [tag \"WASCTC/WASC-21\"] [tag \"OWASP_TOP_10/A7\"] [tag \"PCI/6.5.10\"] [hostname \"192.168.1.4\"] [uri \"/icons/ubuntu-logo.png\"] [unique_id \"W5DlpM2Wi6dQgDWwMFAVXQAAAAU\"], referer: http://192.168.1.4/",
    "host": {
      "name": "ubuntu"
    },
    "offset": 53206,
    "type": "access",
    "beat": {
      "name": "ubuntu",
      "hostname": "ubuntu",
      "version": "6.4.0"
    },
    "input": {
      "type": "log"
    },
    "@version": "1",
    "source": "/var/log/apache2/error.log",
    "clientip": "192.168.1.3",
    "@timestamp": "2018-09-06T08:30:37.753Z",
    "tags": [
      "beats_input_codec_plain_applied"
    ]
  },
  "fields": {
    "@timestamp": [
      "2018-09-06T08:30:37.753Z"
    ]
  },
  "sort": [
    1536222637753
  ]
}

This is my json log when %{IP:clientip} is applied.
anything else wont workhere.

This works fine:

$ cat test.config 
input { stdin { } }
output { stdout { codec => rubydebug } }
filter {
  grok {
    match => {
      "message" => '\[msg %{QS:msg}\] \[data "%{IP:clientip}"\]'
    }
  }
}
$ cat data 
Thu Sep 06 14:00:28.444298 2018] [:error] [pid 16662:tid 139672042850048] [client 192.168.1.3:54909] [client 192.168.1.3] ModSecurity: Warning. Pattern match "^[d.:]+$" at REQUEST_HEADERS:Host. [file "/usr/share/modsecurity-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "810"] [id "920350"] [rev "2"] [msg "Host header is a numeric IP address"] [data "192.168.1.4"] [severity "WARNING"] [ver "OWASP_CRS/3.0.0"] [maturity "9"] [accuracy "9"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag "OWASP_CRS/PROTOCOL_VIOLATION/IP_HOST"] [tag "WASCTC/WASC-21"] [tag "OWASP_TOP_10/A7"] [tag "PCI/6.5.10"] [hostname "192.168.1.4"] [uri "/icons/ubuntu-logo.png"] [unique_id "W5DlpM2Wi6dQgDWwMFAVXQAAAAU"], referer: http://192.168.1.4/", 
$ /opt/logstash/bin/logstash -f test.config < data
Settings: Default pipeline workers: 8
Pipeline main started
{
       "message" => "Thu Sep 06 14:00:28.444298 2018] [:error] [pid 16662:tid 139672042850048] [client 192.168.1.3:54909] [client 192.168.1.3] ModSecurity: Warning. Pattern match \"^[d.:]+$\" at REQUEST_HEADERS:Host. [file \"/usr/share/modsecurity-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf\"] [line \"810\"] [id \"920350\"] [rev \"2\"] [msg \"Host header is a numeric IP address\"] [data \"192.168.1.4\"] [severity \"WARNING\"] [ver \"OWASP_CRS/3.0.0\"] [maturity \"9\"] [accuracy \"9\"] [tag \"application-multi\"] [tag \"language-multi\"] [tag \"platform-multi\"] [tag \"attack-protocol\"] [tag \"OWASP_CRS/PROTOCOL_VIOLATION/IP_HOST\"] [tag \"WASCTC/WASC-21\"] [tag \"OWASP_TOP_10/A7\"] [tag \"PCI/6.5.10\"] [hostname \"192.168.1.4\"] [uri \"/icons/ubuntu-logo.png\"] [unique_id \"W5DlpM2Wi6dQgDWwMFAVXQAAAAU\"], referer: http://192.168.1.4/\", ",
      "@version" => "1",
    "@timestamp" => "2018-09-06T08:46:36.031Z",
          "host" => "lnxolofon",
           "msg" => "\"Host header is a numeric IP address\"",
      "clientip" => "192.168.1.4"
}
Pipeline main has been shutdown
stopping pipeline {:id=>"main"}

That works on a log
[Fri Sep 07 11:47:08.881113 2018] [:error] [pid 695:tid 139704783517440] [client 192.168.1.3:50517] [client 192.168.1.3] ModSecurity: Warning. Pattern match "^[\\\\d.:]+$" at REQUEST_HEADERS:Host. [file "/usr/share/modsecurity-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "792"] [id "920350"] [msg "Host header is a numeric IP address"] [data "192.168.1.12"] [severity "WARNING"] [ver "OWASP_CRS/3.1.0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag "OWASP_CRS/PROTOCOL_VIOLATION/IP_HOST"] [tag "WASCTC/WASC-21"] [tag "OWASP_TOP_10/A7"] [tag "PCI/6.5.10"] [hostname "192.168.1.12"] [uri "/"] [unique_id "W5IX5H8AAQEAAAK37poAAAAX"]

But don't work on the log

[Fri Sep 07 11:47:08.884151 2018] [:error] [pid 695:tid 139704783517440] [client 192.168.1.3:50517] [client 192.168.1.3] ModSecurity: Warning. detected XSS using libinjection. [file "/usr/share/modsecurity-crs/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf"] [line "60"] [id "941100"] [msg "XSS Attack Detected via libinjection"] [data "Matched Data: XSS data found within ARGS_NAMES:<script>: <script>"] [severity "CRITICAL"] [ver "OWASP_CRS/3.1.0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-xss"] [tag "OWASP_CRS/WEB_ATTACK/XSS"] [tag "WASCTC/WASC-8"] [tag "WASCTC/WASC-22"] [tag "OWASP_TOP_10/A3"] [tag "OWASP_AppSensor/IE1"] [tag "CAPEC-242"] [hostname "192.168.1.12"] [uri "/"] [unique_id "W5IX5H8AAQEAAAK37poAAAAX"]

here am getting grokparsefailure.
The ip we are receiving here is server ip. Can change variable to client ip.
if you could help look into this also, it will most helpful.

I don't understand which parts of that log message you want to extract.

[client 192.168.1.3] and [msg "XSS Attack Detected via libinjection"] [data "Matched Data:
XSS data found within ARGS_NAMES:: "] and [severity "CRITICAL"]

This should work:

\[client %{IP:clientip}\] .* \[msg %{QS:msg}\] \[data %{QS:whatever}\] \[severity %{QS:severity}\]