Just activated the login dataset on a few 100 hosts and noticed some time thereafter that all of a sudden I have 100+ extra indices, one for each day ranging from 2018 untill today..
There should be a way to limit the number of days for which login events are indexed or this could possibly create some messy situations. Luckily I had some spare heap..
An option should be created imho which ignore login events 'older then x days / hours, like there is in Winlogbeat.
- name: Application
- name: System