Auditbeat login dataset generates xxxx indices


Just activated the login dataset on a few 100 hosts and noticed some time thereafter that all of a sudden I have 100+ extra indices, one for each day ranging from 2018 untill today..

There should be a way to limit the number of days for which login events are indexed or this could possibly create some messy situations. Luckily I had some spare heap.. :slight_smile:

An option should be created imho which ignore login events 'older then x days / hours, like there is in Winlogbeat.


  • name: Application
    ignore_older: 72h
  • name: System
    ignore_older: 72h



This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.