I don't see anything in your configuration that would provide that protection.
Your TLS setup is:
- encrypting the communication
- ensuring that beats it talking to the real Logstash server
But it does not prevent additional (rogue) beats clients from connecting to that logstash port.
For that you want to enable (and enforce) client certifcates.
See
- Logstash
ssl_verify_mode(you wantforce_peer) - Logstash
ssl_certificate_authorities - Winlogbeat
ssl.certificate - Winlogbeat
ssl.key