Hey James,
There's a couple things here that should probably be clarified.
One, yeah, you got into root on LEM. Anything is hackable, and it's not hard to, say, mount a bootable ISO of another OS to a VM and use it to reset some files and change the root password. I've certainly seen customers do things like it before, and I'm sure I'll see it again. That said, part of why LEM is setup the way it is is to provide some sort of "chain of custody." Breaking root isn't particularly hard if you have access to the VM, but customers shouldn't want to do that since a smart auditor might use that fact to call into question anything they see, and failing audits is expensive.
Two, the logs you show are not encrypted, and that's working as designed. The log you opened is real: LEM is running syslog-ng to get syslog from your network devices, and that data isn't encrypted. If you want to see what that looks like in my lab, it's a mass of text and tar.gz files sitting in var/log where data that hasn't been normalized and written to the LEM database lives.
LEM is running a Linux kernel and most Linux distros use /var/log as a default location, so really this isn't a surprise if you know Linux.
Third, the connectors are all XML and you don't need to crack a LEM to see them, we give them away from the website here.
Fourth, the Postgres files are not the LEM database. I'm not 100% on why that's there, but I believe it's something the Reports console uses and acts as an interpreter. If you turn on logging on Reports and run a report, you'll see bits and pieces of SQL in the logs, like so:
2018-08-16 13:30:03.476 threadid=15572 HostName = corelem01 ; Port = 9001 ; Protocol = HyperSQL
2018-08-16 13:30:03.477 threadid=15572 Database = alertdb ; User = corvega.int\curtis.ingram
2018-08-16 13:30:03.505 threadid=15572 CRUtils.SetParamValueByName succeeded
2018-08-16 13:30:03.506 threadid=15572 Successfully set report parameters
2018-08-16 13:30:03.507 threadid=15572 Report Start Date/Time: 12/30/1899
2018-08-16 13:30:03.507 threadid=15572 Report End Date/Time: 12/30/1899
2018-08-16 13:30:03.511 threadid=15572 JDBC to HSQL data access
2018-08-16 13:30:03.511 threadid=15572 Retrieving raw query text...
2018-08-16 13:30:12.370 threadid=15572 Raw report query:
select isnull(datediff('DD', min(lowmanagertime) , max(highmanagertime)),0) as range_alert from alertdatetimerange; select * from luciusdiskstorage;
2018-08-16 13:30:12.434 threadid=15572 CRViewer.ViewReport executing...
2018-08-16 13:30:12.450 threadid=15572 CRViewer.ViewReport executed without exception
The encrypted data on LEM is stored elsewhere in the /var partition, and I promise those are a lot harder to randomly open and edit than the text files for syslog.