Graylog doesn’t store data. (ok, it is not really true)
An Elasticsearch stores the logs behind GL, and a mongodb the config.
Default the elasticsearch stores data at /var/lib/elasticsearch
So check your /etc/elasticsearch/elasticsearch.yml file
as already written by @macko003 - if you have installed the OS and used the packages to install, you just use can use the ‘normal’ OS way to extend the partition where the data is stored. How this can be done is very specific as every installation can be custom.
If you have LVM, just extend the drive with the new added space. Should you have only one big partition and no LVM, create a new Partition and add the data-path to the elasticsearch configuration.
Those are only two possible options - which one works depends of to many variables.
you plan should work without issues - but no need to restart/stop Graylog - it will use the journal while elasticsearch is down and should resume ingesting messages to elasticsearch once it is up again.
