You should start a new thread which is specific to your grok question. It's out of the scope of the original question here.
Also, this is why I do not send anything but syslog through syslog, or rsyslog, or any other variant. Though the following link is 3 years old, the configuration details on how to get Apache to log in JSON are still valid: http://untergeek.com/2013/09/11/getting-apache-to-output-json-for-logstash-1-2-x/
NOTE: Do NOT use the Logstash configuration from the above link, as it is outdated, 3 years worth. The above link is only for a reference to getting Apache to log in JSON.
In all honesty, I'd get Apache to log in JSON, and then have filebeat send it to Logstash for further parsing. Centralizing all logs is a worthy goal, but in my opinion, syslog should only be storing syslog, not apache or any other format.