Even doing zcat | grep is faster than journald.

I now turn off journald and use rotated pain text log files. It's more efficient in all metrics.

Journald is an odd one. I don't think it being a binary log/database makes sense. If you have a tiny operation, with a single server, then the binary database doesn't really make sense, having plain text is just easier and faster. If you're a bigger operation, you'll have a central logging solution, in which case you need journald to store the longs as plain text as well, before you can do log shipping.

The only use case where the binary format might make sense is if you ship journald logs to another central journald instance. That's just very much an edge case.

afaik journald can just forward logs via rsyslog directly to a remote server

Why would it need to store plaintext locally?

Doesn't that still involve a conversion? I believe that rsyslog can read the journald database, but you're typically not querying syslog data directly, so there's a conversion between rsyslog and logstash, Splunk, Datalog, whatever.

Some folks like having some local storage to act as a buffer in case the remote syslog server is down. Not sure if journald can do that on its own.