If an attacker does break in and get control of a machine, one of the first things they will do is monkey with the logs to cover their tracks. This makes it hard for you to find out if your machine has been cracked, or how they did it. Recovery becomes even more of a headache.
Syslog and other facilities can be set up to send log messages to a remote machine. This complicates an attacker's job considerably, since they now have to break into a whole new machine in order to cover their tracks. Even if they can do this, at worst there is a larger window for you to spot the problem before they can hide it.
(Note, however, if the attacker can subvert the log machine, they can then hide a lot of problems...)