Such locations can be constructed. Many people here seem to think that a dedicated syslog server is secure, and that would have no other function and no other visible ports except one which accepts data in syslog protocol. Logging every hash sounds like a solution whose overhead is comparable to just doing remote logging directly. There might be value in having some kind of middle ground.
Not every attack succeeds immediately, and it may take several tries to successfully exploit some race condition in a daemon. Once attacker breaks in through some local daemon, it still takes some time to download or build the relevant exploit utility, and to launch the secondary attack which finally gives root compromise.