* Operational cost to deploy agents to every single source server from which we need to collect logs.
* Reliable transport mechanism.
* Little possibility for bad guys to manipulate logs as they are being sent in real-time.
* Centralization of all logs providing a unique window into separate sources of logs.
The right approach: Use a risk-management method to assess which makes the most sense for your environment. In high-security environments, you may want to deploy agents in each system you want to collect from, although the operational cost could be high if your scope contains many systems.