Hello,
Just activated the login dataset on a few 100 hosts and noticed some time thereafter that all of a sudden I have 100+ extra indices, one for each day ranging from 2018 untill today..
There should be a way to limit the number of days for which login events are indexed or this could possibly create some messy situations. Luckily I had some spare heap.. 
An option should be created imho which ignore login events 'older then x days / hours, like there is in Winlogbeat.
winlogbeat.event_logs:
- name: Application
ignore_older: 72h - name: System
ignore_older: 72h
Grtz
Willem