Hi @nopma - services like pam and openssh send login events to auditd by default, and that is likely what you are seeing. You could configure Auditbeat to drop those events using a drop_event processor.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.