Questions re elksiem

There is a lot to unpack in these question.

First there will be different "architectures" for poc/dev/test vs production but I will assume we are just trying to POC at first.

Assuming you are trying to do the simplest POC often folks install elasticsearch and kibana on the same host using all the defaults. And as I think you noticed by default elasticsearch is bound to localhost by default for a number of reasons. Note this is not a production architecture.

Take a look at This post that I wrote up a while ago... this is one windows but the concepts are the same.

Beats are installed on any host you want to monitor and they ship data to elasticsearch, and yes for both a POC/Test/Dev and in Production installing beats on the elasticsearch host is totally valid but not required.

NOTE: So if elasticsearch is in localhost only mode, i.e. not on the network then audibeat (any beat) on another host will not be able to ship data to that elasticsearch, not until it is connected to the network interface.

Yes you can put, elasticsearch, kibana, and auditbeat all on the same host, change no setting and it will (should) all work OOTB.

One change you might want to make is in the kibana.yml set server.host: to the network ip to bind to, that way you could reach kibana from another box, not to be confused with the elasticsearch.hosts: which you should leave commented out in this localhost mode

Me, I tend to recommend install all 3 using the tar.gz / linux instruction just to get everything running once and see it. If that works, then trying installing via a package manager.

It appears that you have done some YUM installs, if you want to keep using those then those willl need to be started as service. Also I have seen a number of time when folks install by apt / yum etc... give up and then have other struggles because they did not remove them and more than one elasticsearch, kibana or audibeat tries to start.

With respect to on prem vs cloud and with respect to beats installation, configuration and running there is no difference except for the connection info.

Cloud (which is just a shorthand / all in one connection string

cloud.id: "staging:dXMtZWFzdC0xLmF3cy5mb3VuZC5pbyRjZWM2ZjI2MWE3NGJmMjRjZTMzYmI4ODExYjg0Mjk0ZiRjNmMyY2E2ZDA0MjI0OWFmMGNjN2Q3YTllOTYyNTc0Mw=="
cloud.auth: "auditbeat_setup:YOUR_PASSWORD" 

On Prem (which you would not change if you are doing the localhost POC the defaults will work.
Note this is an example of a formal setup where auditbeat would have its own user / pw.

output.elasticsearch:
  hosts: ["myEShost:9200"]
  username: "auditbeat_internal"
  password: "YOUR_PASSWORD" 

...

  setup.kibana:
    host: "mykibanahost:5601" 
    username: "my_kibana_user"  
    password: "{pwd}"

Hope this helps you get a little further...