We're on Elastic 8.8.1 and about to upgrade to 8.11.3.
Since we have alot of issues with Elastic Agents on our Windows-boxes, esp. when endpoint or agent is being reloaded but also with high cpuutilization (mostly due to endpoint/defend), we really dont want any "change" to apply to all agents simultaniously. In the changelog for 8.11, it says compression_level is being set to 0.
we conscider to create a second Output for elastic, setting compression_level:0 in Advacned YAML, just need to make sure that compression_level will change when the agents on the servers are being upgraded from 8.5.2 to 8.11.3, and that we safely can upgrade our Fleet-server to 8.11.3 without risk of any changes applying to the agents.
Compression level was available in 8.8 as visible in the docs here: Configure the Elasticsearch output | Fleet and Elastic Agent Guide [8.8] | Elastic as it was available in 8.8 whatever setting you apply will apply to all managed agents. Whether that setting you apply represents a change from the current value will depend on the agent version.
From the release notes:
The default compression level for Elasticsearch outputs is changing from 0 to 1.
Prior to 8.11 the default was 0 and starting in 8.11.0 the new default is 1.
Please note this does not impact CPU usage for Elastic defend.
It's also worth noting that the 25% CPU increase referenced is for a worst case scenario of Filebeat pulling logs from a file, performing zero processing on them, and then outputting them to elasticsearch.
In the case of winlogbeat, auditbeat and packetbeat the overall CPU impact is significantly lower as those beats spend a lot of CPU time collecting and processing messages and comparatively less CPU time writing them to elasticsearch and so the overall CPU impact from compression is much lower.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.