> If each log entry is signed individually then you don't even prevent the attacker from erasing individual log entries. you would have to sign each log entry on top of the prior one to detect gaps.
Which is exactly what is being suggested. The top-level hash is based on the previous hash plus the new log entry. Yes, an attacker could still delete the logs, but the idea is to make them tamper-*evident*, not tamper-*proof*.
Still, as you stated, you can tamper-proof the logs by sending them to a dedicated, "bullet-proof" logging server, or some form of write-once local storage. Remote logging, at least, is essentially a solved problem.