I have just installed a single node graylog system, an appliance running on vmware, and need to increase the amount of stored messages the system will handle. Do I need to just keep adding graylog nodes? Or can I increase the size of the drive? I saw an article to add another virtual drive, and then connect the log folder to that drive. Is that still valid?
Extend hdd size would be probably simpliest option. You have more option, depends on filesystem structure:
- If you use LVM, add drive, create partition (or use whole disk) to PV, extend VG, extend LV, expand filesystem
- If you use LVM, expand drive, expand partition, expand VG, extend LV, expand filesystem
- If you use simple partitions, expadnd drive, expand partition, expand filesystem
The simple answer is to add more space to your elasticseach node (which is also your graylog node). The best way to do that depends on a few things.
- how much space are you adding?
- Is this a one time thing or do you think you may need to do this again in the future?
- how much data are you currently ingesting? below 5GB? get a free enterprise license and check out the archive feature.
- are you concerned with performance?
- what retention and redundancy do you require?
Perhaps you should consider separating Graylog and Elasticsearch now, and scaling elasticsearch horizontally becomes mostly trivial in the future.