I think the idea is the attacker didn't compromise both the local machine and the remote log sink machine. If you want to get really fancy the techniques used in cert revocation logs/blockchains could be used.
replyBlockchain is completely unnecessary (as it always is; I thought people stopped trying to ram that garbage into everything years ago).
replyI was answering this question from GP:
> Unfortunately it appears openssh doesn't even have an option to create such a logfile!! Why not??
The answer is because in Linux systems the logging logistics are handled at the system level, just like starting and running openssh itself. The answer to "why not" is because that's the logging system's job, not openssh's.
rsyslogd is one simple and direct way to distribute logs to remote machines.