We using the hosted services and have a 2 ESA's clustered together and one SMA. We want to create a log subscription to push the mail logs to a local machine for searching and archiving. Should we do this for all 3 boxes or just the 2 ESA's since presumably the SMA just has a copy of the original logs from the ESA's.
the SMA comes with it's own mail log, which will most of the time show the spam received from the ESAs and getting quarantined. The appliance however does not fetch the mail logs from the ESAs, what it retreives is only tracking and reporting data, but no logs. So in case you want to push the SMA's mail_log as well, go ahead.
By the way, you also may consider a second log subscription for these logs on each appliance, which uses the standard settings. This way there will be always a local copy of the last 10 mail logs on the appliances as well, which makes it easier to troubleshoot in case of a problem. Just a suggestion.