If I stop logstash service, then I can see under the /var/log/filebeat/filebeat, these messages:
I'm quite confused 
This is how my logstash (server with ip 172.16.1.172)input looks. (/etc/logstash/conf.d/10_input.conf
input {
beats {
port => 5044
ssl => true
ssl_certificate_authorities => ["/etc/logstash/certs/logstash_ca.pem"]
ssl_certificate => "/etc/logstash/certs/elasticstack01.essi.lab.pem"
ssl_key => "/etc/logstash/certs/elasticstack01.essi.lab.pk8"
ssl_verify_mode => "force_peer"
}
}
Although, it also works like this:
input {
beats {
port => 5044
}
}
These are the relevant pieces of my /etc/filebeat/filebeat.yml (my client server with ip 172.16.1.68)
filebeat.inputs:
- type: log
enabled: true
paths:
- /opt/zimbra/log/mailbox.log
multiline.pattern: ^\d{4}-\d{2}-\d{2}
multiline.negate: true
multiline.match: after
filebeat.config.modules:
path: ${path.config}/modules.d/*.yml
reload.enabled: true
reload.period: 5s
setup.template.settings:
index.number_of_shards: 6
output.logstash:
hosts: ["elasticstack01.essi.lab:5044"]
ssl.certificate_authorities: ["/etc/filebeat/certs/logstash_ca.pem"]
ssl.certificate: "/etc/filebeat/certs/zimbrastore01.essi.lab.pem"
ssl.key: "/etc/filebeat/certs/zimbrastore01.essi.lab.key"
processors:
- add_host_metadata: ~
- add_cloud_metadata: ~
Sorry the indentetation is not looking great...I still don't know how to make it look better in this forum 
Again, the ssl part in this filebeat.yml, is not required unless you are using it for your logstash too. Beside that ssl thing, mine is pretty much a default installation.
Maybe you are able to find something under /var/log/filebeat/filebeat from the server where you are trying to send the logs from. Or you could try to see if you see any error in your logstash server under /var/log/logstash/logstash-plain.log.
I also see under the filebeat.yml, that you have a "debug" option, maybe you can enable it in the server you are trying to send the logs from, and see if it throws some more light, maybe?