With a centralized model you will always run the risk of your log collection point being noticed. In fact, it can be another point of honeypotting setting up a honeypot syslog server can be extremely beneficial.

What do you do if the logs are cleared from a honeypot and you don't have a centralized location where logs are sent? Honestly, by the time they discover the centralized loghost, you should have enough information collected about the compromise to disconnect the attacker and collect your evidence.

Your best bet is to maintain a centralized location, that is hardened and leave copies of the logs on the honeypots. This gives you the best of both worlds. It allows you to monitor locally, rather than log in to a host to monitor its logs. (you think you wouldn't be noticed then? How often do you see an attacker check who is on the machine?)

Secure the logfile transmission, and the loghost and you should be fine. As for single point of failure..backup the loghost.