That's kind of the tough part, since this is AWS hosted ES, I don't have access to the logs.  

my logstash output looks like

    input {
      beats {
        port => 5044
      }
    }

    filter {
      mutate {
        add_field => {
            "myfield" => "stuff"
        }
      }
      if [fileset][module] == "apache2" {
        if [fileset][name] == "access" {
          grok {
            match => { "message" => ["%{IPORHOST:[apache2][access][remote_ip]} - %{DATA:[apache2][access][user_name]} \[%{HTTPDATE:[apache2][access][time]}\] \"%{WORD:[apache2][access][method]} %{DATA:[apache2][access][url]} HTTP/%{NUMBER:[apache2][access][http_version]}\" %{NUMBER:[apache2][access][response_code]} %{NUMBER:[apache2][access][body_sent][bytes]}( \"%{DATA:[apache2][access][referrer]}\")?( \"%{DATA:[apache2][access][agent]}\")?",
              "%{IPORHOST:[apache2][access][remote_ip]} - %{DATA:[apache2][access][user_name]} \\[%{HTTPDATE:[apache2][access][time]}\\] \"-\" %{NUMBER:[apache2][access][response_code]} -" ] }
            remove_field => "message"
          }
          mutate {
            add_field => { "read_timestamp" => "%{@timestamp}" }
          }
          date {
            match => [ "[apache2][access][time]", "dd/MMM/YYYY:H:m:s Z" ]
            remove_field => "[apache2][access][time]"
          }
          useragent {
            source => "[apache2][access][agent]"
            target => "[apache2][access][user_agent]"
            remove_field => "[apache2][access][agent]"
          }
          geoip {
            source => "[apache2][access][remote_ip]"
            target => "[apache2][access][geoip]"
          }
        }
        else if [fileset][name] == "error" {
          grok {
            match => { "message" => ["\[%{APACHE_TIME:[apache2][error][timestamp]}\] \[%{LOGLEVEL:[apache2][error][level]}\]( \[client %{IPORHOST:[apache2][error][client]}\])? %{GREEDYDATA:[apache2][error][message]}",
              "\[%{APACHE_TIME:[apache2][error][timestamp]}\] \[%{DATA:[apache2][error][module]}:%{LOGLEVEL:[apache2][error][level]}\] \[pid %{NUMBER:[apache2][error][pid]}(:tid %{NUMBER:[apache2][error][tid]})?\]( \[client %{IPORHOST:[apache2][error][client]}\])? %{GREEDYDATA:[apache2][error][message1]}" ] }
            pattern_definitions => {
              "APACHE_TIME" => "%{DAY} %{MONTH} %{MONTHDAY} %{TIME} %{YEAR}"
            }
            remove_field => "message"
          }
          mutate {
            rename => { "[apache2][error][message1]" => "[apache2][error][message]" }
          }
          date {
            match => [ "[apache2][error][timestamp]", "EEE MMM dd H:m:s YYYY", "EEE MMM dd H:m:s.SSSSSS YYYY" ]
            remove_field => "[apache2][error][timestamp]"
          }
        }
      }
    }

    output {
      amazon_es {
        hosts => ["MY-ES-CLUSTER.us-west-2.es.amazonaws.com"]
        region => "us-west-2"
        index => "%{[@metadata][beat]}-%{[@metadata][version]}-%{+YYYY.MM.dd}"
      }
    }

---
NEW: Monitor These Apps!
elasticsearch, apache solr, apache hbase, hadoop, redis, casssandra, amazon cloudwatch, mysql, memcached, apache kafka, apache zookeeper, apache storm, ubuntu, centOS, red hat, debian, puppet labs, java, senseiDB