One of the fun things about graylog is you are now also a mongodb and elasticsearch/opensearch administrator

If you are interested in moving your data around, some helpful resources:

MongoDB

MongoDB doesn’t (or really shouldn’t) consume much disk space. It holds configuration data but does not store any log data which accounts for the majority of disk usage of a graylog cluster. (the exception to this would be the auditlog, but i’m assuming you are using Graylog Open Source which doesn’t utilize this feature).

You can configure the database path using the storage.dbPath property in the mongod.conf config file, which i believe defaults to /etc/mongod.conf

Be sure to make sure your folder owner and permissions are kept the same.

Indexers (either Elasticsearch or OpenSearch

The indexer is the primary data store for your log data and as such will make up almost the entirety of your disk usage for a graylog cluster.

Both Elasticsearch or OpenSearch also have configurable data paths.

Elasticsearch

Using path.data.

See Configuring Elasticsearch | Elasticsearch Guide [7.10] | Elastic for config file locations.

Be sure to make sure your folder owner and permissions are kept the same.

OpenSearch

Similar to elasticsearch, you can also configure the data path using path.data attribute.

OpenSearch config file defaults to /etc/opensearch/opensearch.yml

Be sure to make sure your folder owner and permissions are kept the same.

General Tips about disk usage

While logs can consume a lot of disk usage, you can use retention strategies to make disk usage more predictable and even configure it so you don’t have logs take up more than X% of disk space (say 90%).

You’ll want to use a ‘Index Size’ rotation strategy and set the size and number of indices below what your disk space allows.

Here is a blog post that touches on this, although doesn’t specifically talk about the ‘Index Size’ rotation strategy. Log Indexing and Rotation for Optimized Archival in Graylog

Hope that helps!