In TLS certificates are normally provided by the Server (logstash in this case) to the client and the client has to validate the certificate. Once handshake and certificate validation succeed, communication will be encrypted. It's the same technology used in https for example. This part is support in beats and logstash.
There exists a second optional mode in TLS the server asking the client for the client certificate. If server asks for client-certificate, the client will send it's own certificate to the server and the server has to validate the certificate. Since client-auth is optional, it has no effect on the connection being encrypted. This mode is not support in logstash server.