This is a x-post from Slack, but I think that it is perhaps easier to have a discussion here.
We are setting up a new logcluster that should handle .. logs.. from our infrastructure mostly. The usual suspects filebeat, winlogbeat, auditbeat etc.
Our design after some testing in docker landed on this.
But after a brief discussion in Slack I was recommended not to use "Master" role on the Ingest nodes (internal client facing).
Is this design sane, for a 14 days of hot storage and then a few months of Cold storage for "archive"?