How about having 2 log collectors or 1 collector and 2 storage areas. One for the logs you want to save and one for the logs you have to save. The stuff we want is what it takes to do our jobs. Logs that help us troubleshoot and point to problems. The stuff we have to save is what someone says is necessary for auditing or CYA moments.
I imagine the 2nd category requires more storage based on the longer retention time while the 1st category of logs may not need to be retained for as long and may not need an archiving solution.