Extend Disk Size in installation not OVA

Graylog Central (peer support)
1

Dear All,

I want to add a second disk to store logs to my installation. I looked at http://docs.graylog.org/en/2.4/pages/configuration/graylog_ctl.html#extend-disk-space this applies to an OVA image provided by Graylog.

My install is Graylog 2.4.6 on Ubuntu installed via deb, on my box there is no directory at /var/opt/graylog/data

I looked in the server.conf to see if i could see where the data is being stored but I did not find anything.

Can you tell me where Graylog stores data on a DEB or RPM based installation that is not an OVA.

Kind Regards

Magneton

2

Hi

Graylog doesn’t store data. (ok, it is not really true)
An Elasticsearch stores the logs behind GL, and a mongodb the config.
Default the elasticsearch stores data at /var/lib/elasticsearch

So check your /etc/elasticsearch/elasticsearch.yml file

path.data: /var/lib/elasticsearch
1 Like
3

He @Magneton

as already written by @macko003 - if you have installed the OS and used the packages to install, you just use can use the ‘normal’ OS way to extend the partition where the data is stored. How this can be done is very specific as every installation can be custom.

If you have LVM, just extend the drive with the new added space. Should you have only one big partition and no LVM, create a new Partition and add the data-path to the elasticsearch configuration.
Those are only two possible options - which one works depends of to many variables.

1 Like
4

Hi Jan and @macko003,

It is not set in my config, but appears to default to /var/lib/elasticsearch

image
image.png859×667 23 KB

So my idea would be as follows:-

  1. Create single ext4 file system on 2nd drive
  2. Shutdown elasticsearch and graylog services
  3. mount 2nd drive at say /opt/siem-data
  4. copy data in /var/lib/elasticsearch to /opt/siem-data
  5. change elasticsearch config to point to new location
  6. restart elasticsearch and graylog services.

I will try this and report back

Kind Regards

Jake

5

you plan should work without issues - but no need to restart/stop Graylog - it will use the journal while elasticsearch is down and should resume ingesting messages to elasticsearch once it is up again.

6

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.