Auditbeat sends unencrypted data

I have two beats on each server. Filebeat and auditbeat. I set up filebeat output to logstash and auditbeat output to elasticsearch. Filebeat encryption works fine. Now I'm setting up auditbeat's encryption.

I have copied this output from filebeat to auditbeat.yml:

output.elasticsearch:               
  # Array of hosts to connect to.
  hosts: ["91.242.11.225:9200"] # Not the real IP

  # Protocol - either `http` (default) or `https`.
  #protocol: "https"

  # Authentication credentials - either API key or username/password.
  #api_key: "id:api_key"
  username: "elastic"
  password: "password" # Not the real password
  ssl.enabled: true
  ssl.certificate_authorities: ["/etc/elk/ca.crt"]

  # Certificate for SSL client authentication
  ssl.certificate: "/etc/elk/beats.crt"

  # Client Certificate Key
  ssl.key: "/etc/elk/beats.key"
  ssl.key_passphrase: "password" # Not the real password
  ssl.verification_mode: full

But when I ngep, I see it ships data to 9200 unencrypted. Am I missing something? Thanks ahead!