On all servers, I use Filebeat and Auditbeat. While I use filebeat for all sorts of things - I only use auditbeat to ship system logins (who attempted to log-on, from where, successful or not). It comes with Auditbeat's default dashboard "Login Dashboard ECS".
Problem is, I have about 10 CentOS 5 machines that can only run Filebeat (Auditbeat is not working on it).
Is it possible to ship the same data with Filebeat? This is an example of what a login entry looks like from Auditbeat:
Login by user root (UID: 0) on pts/0 (PID: 1715) from 172.19.14.55 (IP: 172.19.14.55)
Also, is it possible to have the data end up in the same Auditbeat dashboard?