Moving most consuming directory to the separate disk
In my case, one directory is consuming most of the disk space dedicated for the system.
Stop the service.
systemctl stop wazuh*
systemctl | grep wazuh
Rename directory
export src="/var/ossec"
mv ${src} ${src}.backup
Attach new disk
Configure LVM, mount disk to the location guide, but do not create directory not mount the disk.
mkdir -p ${src}
export host=$(hostname)
mount /dev/vg-${host}-data/lv-${host}-data ${src}
df -h
Add mount point to the fstab. Copy needed line to the buffer and paste it into the /etc/fstab
mount | grep ${host}
/dev/mapper/vg--host--data-lv--host--data on /var/ossec type ext4 (rw,relatime)
vi /etc/fstab
/dev/mapper/vg--host--data-lv--host--data /var/ossec ext4 errors=remount-ro 0 1
systemctl daemon-reload
mount -a
df -h
Filesystem Size Used Avail Use% Mounted on
/dev/root 29G 20G 8.5G 70% /
tmpfs 2.0G 0 2.0G 0% /dev/shm
tmpfs 783M 1000K 782M 1% /run
tmpfs 5.0M 0 5.0M 0% /run/lock
efivarfs 56K 24K 27K 48% /sys/firmware/efi/efivars
/dev/sda16 881M 70M 749M 9% /boot
/dev/sda15 105M 6.1M 99M 6% /boot/efi
tmpfs 392M 12K 392M 1% /run/user/1003
/dev/mapper/vg--host--data-lv--host--data 98G 24K 93G 1% /var/ossec
Run the screen (tmux). Move files from backup to new destination
tmux a
sudo su
apt install rsync
export src="/var/ossec"
# trailing slash matters! telling copy content, nor directory itself.
rsync -avAXH --progress ${src}.backup/ ${src}
Verify integrity (output must be empty)
# checksums, permissions, timestamps
rsync -avcn --delete ${src}.backup ${src}
# content only
diff -qr ${src}.backup ${src}
Verify size
du -s ${src}
8905080 /var/ossec
du -s ${src}.backup
8905676 /var/ossec.backup
Perform VM restart to ensure disk will be mounted and service is working properly
shutdown -r now
Once happy, remove source
export src="/var/ossec"
rm -rf ${src}.backup