Write protected directory that only DA/EAs can write to, read-only for the service account the software will use. R/W to the service account used for dumping the logs.
That's no less secure than the current system.
In reality, it's probably an easily solved problem that's won't require DA to run at log management software.
FWIW, I work in an extremely security conscious environment and even we allow log shipping in the fashion I've described.--
flickr | Of faith, power and glory