High Disk Usage - /var/lib/elasticsearch/nodes/0/indices

[SP_11]

Hi,

I am facing some issue due to the high storage use of the below directory

/var/lib/elasticsearch/nodes/0/indices

it has used more than 14GB and due to that my root partition has no space left as a result whazuh is not operating.

Kindly let me know how can I overcome this disk usage.

Thank you

[elw...@wazuh.com]

Hello,

The mentioned directory is where Elasticsearch stores the indices and you can not delete those files directly as it will cause malfunctioning Elasticsearch. You should delete other files/directories to get more spaces until Elasticsearch starts again then delete the old indices using the API as follows:

• Check what indices you have : curl -XGET https://<ipwazuh>:9200/_cat/indices -k -u <user>:<pass>
  
• Delete the old ones (that would delete Wazuh alerts indices of the month April) : curl -XDELETE https://<ipwazuh>:9200/wazuh-alerts-4.x-2022.04.* -k -u <user>:<pass>
  

I hope this helps.

Regards,
Wali

[SP_11]

Hi,

Thanks for the response.

Is it possible to move this folder to a separate disk/partition where we have more free space and logically bind the folder path?

Thank you

[elw...@wazuh.com]

Hello,

You can indeed change the data directory by following below steps:

1.  Stop Elasticsearch node
   
   
2. Move Elasticsearch directory to the new one: mv /var/lib/elasticsearch /foo/bar
   
   
3. Then in elasticsearch.yml modify path.data to: path.data: /foo/bar
   
   
4. Start Elasticsearch.
   

I hope this helps.

Regards,
Wali