/bin/journalctl comes from the core snap on classic distro and it doesn't understand the log format of the files in /run/log/journal/*. The security policy doesn't allow executing /var/lib/snapd/hostfs/bin/journalctl, but if it did, then we have:
# /var/lib/snapd/hostfs/bin/journalctl --follow
/var/lib/snapd/hostfs/bin/journalctl: error while loading shared libraries: libsystemd-shared-232.so: cannot open shared object file: No such file or directory
so we'd then have to set LD_LIBRARY_PATH. This is possible. Eg:
With these rules:
Can then run with:
$ LD_LIBRARY_PATH=/var/lib/snapd/hostfs/lib/systemd:$LD_LIBRARY_PATH /var/lib/snapd/hostfs/bin/journalctl --follow
May 18 10:12:41 iolanthe kernel: audit: type=1400 audit(1495120361.472:70824): apparmor="DENIED" operation="open" profile="snap.strict.sh" name="/etc/fstab" pid=8276 comm="cat" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
I'll prepare a PR for that because I think it is worthwhile regardless of anything related to rsyslog.
Note that with the above I can make snappy-debug itself work, this is a hurdle for people wanting to use log-observe since they have to know to use /var/lib/snapd/hostfs/bin/journalctl and libraries like python3-systemd still won't work.