20. 06. 2025 Reinhold Trocker Unified Monitoring

Elastic Integration with Huge Memory Usage? Keep That Host Accessible!

In some environments, Elastic Agent integrations can unexpectedly consume excessive memory. This can be due to various reasons: misbehaving integrations, memory leaks, or simply under-provisioned hosts. When this happens, the Linux Kernel may invoke the OoM (Out of Memory) killer of systemd, terminating the Elastic Agent service and usually, disrupting data ingestion.

How to Detect the Issue

System Logs

If your Elastic Agent is being killed unexpectedly, check the system logs:

# grep -i out.of.memory /var/log/messages{-*,} |tail
...
/var/log/messages-20250605:Jun  5 14:21:11 HOSTNAME kernel: Memory cgroup out of memory: Killed process 3481 (agentbeat) total-vm:35608848kB, anon-rss:28517004kB, file-rss:69696kB, shmem-rss:0kB, UID:0 pgtables:62396kB oom_score_adj:0

This is a clear sign that your Agent exceeded available memory and was forcibly terminated.

System Load

Choose any method to monitor the system load; for example the CPU load check in NetEye Monitoring:

How to Prevent Unresponsive Hosts

The host becomes inaccessible due to huge loads. To safeguard your system, use  systemd‘s MemoryMax directive to cap the Elastic Agent’s memory usage. A good rule of thumb is to reserve 3 GB for the OS and other services, and allocate the rest to the Agent.

# create directory for elastic agent service custom values
mkdir -p /etc/systemd/system/elastic-agent.service.d

# for a system with 16 GB reserve maximum 13 GB for elastic agent
echo -e "[Service]\nMemoryMax=13G" > /etc/systemd/system/elastic-agent.service.d/memorymax.conf

# tell systemd to accept new config
systemctl daemon-reexec
systemctl daemon-reload
systemctl restart elastic-agent.service

This will keep the agent within safe memory limits, improving system stability and reliability.

Next Steps

The above suggestions only allow you to continue to access the machine that hosts the Elastic Agent. You’ll still have to investigate the underlying reason that it’s using too much memory.

If you want a quick solution, try to “throw money at it”, or in this case, throw memory at it: give the machine an additional 64 GB and limit the service to 64 GB. In my experience, 64 GB is usually enough for every process.

I found this behavior (using a lot of RAM) with the Elastic MISP integration. In the end, they gave the Elastic Agent service 45 GB, with the MISP integration subprocess using around 32 GB max.

These Solutions are Engineered by Humans

Did you find this article interesting? Does it match your skill set? Our customers often present us with problems that need customized solutions. In fact, we’re currently hiring for roles just like this and others here at Würth Phoenix.

Reinhold Trocker

Reinhold Trocker

IT professional, IT security, (ISC)2 CISSP, technical consultant

Author

Reinhold Trocker

IT professional, IT security, (ISC)2 CISSP, technical consultant

Latest posts by Reinhold Trocker

29. 01. 2025 Log Management, Log-SIEM
Understanding Headers in Elastic Agents: Normal Mode vs. Fleet Server Mode
12. 12. 2024 Log Management, Log-SIEM
Sample osquery Investigations for a Security Incident
08. 11. 2024 Log Management, Log-SIEM
Configuring EnvironmentFile for Elastic Agents on NetEye Nodes
24. 10. 2024 Log Management, Log-SIEM
Categories of documents – create more namespaces within an agent’s environment
16. 02. 2024 Log-SIEM, NetEye
Enabling Elastic Agents Upgrades in Restricted or Closed Networks
See All

Related Content

Tags: ,

29. 01. 2025 Log Management, Log-SIEM

Understanding Headers in Elastic Agents: Normal Mode vs. Fleet Server Mode

Elastic Agents are flexible and powerful tools used within the Elastic Stack for collecting and shipping logs, metrics, and other data to Elasticsearch. However, the headers they use can vary depending on whether they are running in "normal" mode or Read More
24. 10. 2024 Log Management, Log-SIEM

Categories of documents – create more namespaces within an agent’s environment

In the ever-evolving landscape of IT monitoring and management, the ability to efficiently handle multi-dimensional namespaces is crucial. Within NetEye, Log-SIEM (Elastic), provides a comprehensive solution for managing the single namespace dimension with the namespace of a data_stream. This blog Read More
16. 02. 2024 Log-SIEM, NetEye

Enabling Elastic Agents Upgrades in Restricted or Closed Networks

In this article, we’ll explore how to configure the “Agent Binary Download” setting and set up your own artifact registry for binary downloads within a NetEye cluster. Prerequisites Before we begin, ensure you have the following prerequisites in place: Your Elastic Agents Read More
28. 12. 2023 Log Management, Log-SIEM, NetEye

Monitor Fleet Elastic Agents with NetEye Extension Packs (NEP)

With the latest version of NetEye 4.33, the Fleet Server and ElasticAgent officially join the NetEye Elastic Stack (see NetEye 4.33 Release Notes ) Related to this new big feature, within the NetEye Extension Packs project we have provided new Read More
30. 11. 2023 Log Management, Log-SIEM, NetEye, Unified Monitoring

Monitor Your Elasticsearch Agents Registered in the Elastic Fleet Server

Say you're using the SIEM Module in NetEye and are deploying the Elasticsearch Agent to your clients. You'd surely like to know if those agents are still sending data and are still connected to the Elastic Fleet server. I had Read More

Leave a Reply

Your email address will not be published. Required fields are marked *

Search by technology

Contact

Contact us
Serviceportal

Archive