Yeah, I would agree with Stephen. It looks like you need to tell Winlogbeat which CAs to trust with output.elasticsearch.ssl.certificate_authorities.
And then because you are using IP addresses in the configuration to Winlogbeat, those servers' certificates need to contain an SAN for their IP.