High RAM usage with Active Directory Entity Analytics integration on a 4GB RAM server

Elastic Stack Elasticsearch
1

Hello everyone,

I’ve run into an issue with excessive resource consumption by the Elastic Agent and am looking for advice on optimizing policies and limits.

Context: A customer has a server with very modest hardware specifications — only 4 GB of RAM. We have an Elastic Agent deployed there, and the agent policy includes the Active Directory Entity Analytics integration.

Problem: The customer is reporting that the agent process (and its underlying components) is consuming the most RAM on the server, starving other tasks of resources. I understand that 4 GB is extremely low for a server by today's standards, but upgrading the hardware is not an option right now, so we need to find a software-level workaround. It seems the heavy memory footprint is primarily driven by the data collection and LDAP queries originating from the AD Entity Analytics integration.

Questions:

  1. Are there any methods to hard-limit the RAM usage of the Elastic Agent in a Windows environment (e.g., via built-in agent settings or Windows OS mechanisms)?

  2. What specific parameters within the Active Directory Entity Analytics integration can be tweaked to reduce the memory footprint? Would significantly increasing the polling intervals or decreasing the batch sizes help?

  3. Are there any specific datasets, metrics, or endpoints in this integration that can be safely disabled to lower the overhead?

I would be very grateful for any recommendations, configuration examples, or links to specific documentation. Thanks in advance!

3

Quick update on this issue:

Since my original post, I've tried a few things to optimize the resource consumption.

I decided to offload the AD Entity Analytics integration entirely by moving it to our Fleet server. I also heavily tweaked the System integration on the AD server — I completely disabled log collection and turned off all unnecessary metrics.

Currently, there are only 3 integrations left running directly on this AD server:

  • Windows

  • System

  • Microsoft DNS Server

Despite these changes, the Elastic Agent process is still consuming around ~400MB of RAM, which is roughly the same footprint as before.

Has anyone managed to shrink the memory usage below this 400MB baseline? Are there any other hidden tweaks, agent-level configurations, or limits I can apply to make it consume less RAM in this specific scenario?