I have once again filled my /data partition up, causing Elastic to stop functioning. Is there a way I can change the config files to set it up so that I can either limit the size or automatically delete old files like Stenographer?

I understand at this point I’m gonna have to reinstall everything and increase my /data partition. I would just like to be able to use Rock consistently and not have to reinstall due to full disk space.


Filesystem           Size  Used Avail Use% Mounted on
/dev/mapper/rocknsm-root                15G  5.4G  9.7G  36% /
devtmpfs                               6.9G     0  6.9G   0% /dev
tmpfs                                  6.9G     0  6.9G   0% /dev/shm
tmpfs                                  6.9G  759M  6.2G  11% /run
tmpfs                                  6.9G     0  6.9G   0% /sys/fs/cgroup
/dev/sda1                              509M  132M  378M  26% /boot
/dev/sda2                              512M  7.6M  505M   2% /boot/efi
tmpfs                                  6.9G  7.9M  6.9G   1% /tmp
/dev/mapper/rocknsm-var_log             15G  3.5G   12G  23% /var/log
/dev/mapper/rocknsm-data                45G   45G   20K 100% /data
/dev/mapper/rocknsm-home                10G   33M   10G   1% /home
/dev/mapper/rocknsm-data_stenographer  256G  196G   61G  77% /data/stenographer
tmpfs                                  1.4G     0  1.4G   0% /run/user/1000

Stenographer is self managing. It deletes the old pcap and in this setup it looks like steno is not full. Im guessing that something else has filled up the /data partition. I would put bets on it being elasticsearch. You can remove old logs via ILM based on size or time.

See: ILM: Manage the index lifecycle | Elasticsearch Reference [7.10] | Elastic