Only if securelevel is 2. If securelevel = 1, then only mounted filesystems are RO. An attacker could conceivably forcibly unmount /var/log as root, and make the changes directly to the block device.