We are currently running a DEV OpenShift 4.14 cluster and we installed and configured the ECK operator and have all the cluster logs forwarding from the from the Red Hat OpenShift Logging operator with a ClusterLogForwarder and those logs are accessible via Kibana on the ECK side with a route.
The reason we're using ECK vs the OpenShift Elasticsearch Operator managed instances is that we have a request from the app team to also be able to have external application logs outside the OpenShift cluster sent to the same Elasticsearch/Kibana instances and that wasn't supported through the Red Hat OpenShift Elasticsearch Operator.
Recent discussions have brought up data retention and the idea of utilizing storage tiers for the ECK stack. For instance, keep 30 days of "hot/live" data on the fastest tier, after 30 days go to "warm" storage and after 60 days go to "cold" storage.
Currently the storage for the ECK instances is allocated in OpenShift utilizing persistent volume claims/volumes utilizing the default managed-csi driver.
The cluster is running in Azure and was installed via the IPI installer.
Our experience on the Elastic/ECK side of things is limited and I was looking for tips on how we can accomplish the storage tiers in the context of OpenShift on Azure utilizing ECK. Thanks ahead of time!