I suppose that I could use FileBeat on the edge sending (large) /var/log/wtmp to a cluster local LogStash concentrator,
then use LogStash concentrator to expand the wtmp and drop the "old news" before forwarding on the data.
This scenario would give me the lightweight Beat on the edge,
filter out pointless data on a local concentrator node where the CPU hit won't matter so much
saving me from sending large swaths of data across to my (not-local) data sea..