If you want Auditbeat to connect to a cluster that has X-Pack Security enabled, there are extra configuration steps.
To send data to a secured cluster through the
Auditbeat needs to authenticate as a user who can manage index templates,
monitor the cluster, create indices, and read, and write to the indices
it creates. See Configuring Authentication Credentials for Auditbeat.
If encryption is enabled on the cluster, you also need to enable HTTPS in the Auditbeat configuration. See Configuring Auditbeat to use Encrypted Connections.
In addition to configuring authentication credentials for the Auditbeat itself, you need to grant authorized users permission to access the indices it creates. See Granting Users Access to Auditbeat Indices.
For more information about X-Pack Security, see Securing Elasticsearch and Kibana.