* Operational cost to deploy agents to every single source server from which we need to collect logs.

* Reliable transport mechanism.

* Little possibility for bad guys to manipulate logs as they are being sent in real-time.

* Centralization of all logs providing a unique window into separate sources of logs.

The right approach:  Use a risk-management method to assess which makes the most sense for your environment.  In high-security environments, you may want to deploy agents in each system you want to collect from, although the operational cost could be high if your scope contains many systems.