List of common rules I'm supplementing to Debian/Ubuntu logcheck installations that suppress issues that arise with publicly available services that people try to exploit.

logcheck_local_towo

^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ ansible-apt: Invoked with dpkg_options=force-confdef,force-confold upgrade=dist force=False package=None purge=False state=present update_cache=True default_release=None install_recommends=True deb=None cache_valid_time=None$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ ansible-lineinfile: .*dest=/etc/logcheck/ignore.d.server/local.*$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ ansible-setup: Invoked with filter=\* fact_path=/etc/ansible/facts.d$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ avahi-daemon\[[[:digit:]]+\]: server\.c: Packet too short or invalid while reading response record. \(Maybe a UTF-8 problem\?\)$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ console-kit-daemon\[[[:digit:]]+\]: GLib-CRITICAL: Source ID [[:digit:]]+ was not found when attempting to remove it$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ console-kit-daemon\[[[:digit:]]+\]: \(process:[[:digit:]]+\): GLib-CRITICAL \*\*: g_slice_set_config: assertion .sys_page_size == 0. failed$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ console-kit-daemon\[[[:digit:]]+\]: console-kit-daemon\[[[:digit:]]+\]: GLib-CRITICAL: Source ID [[:digit:]]+ was not found when attempting to remove it$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ console-kit-daemon\[[[:digit:]]+\]: missing action$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: imap\(towo\): Disconnected for inactivity in=[[:digit:]]+ out=[[:digit:]]+$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: imap\(towo\): Disconnected: Logged out in=[[:digit:]]+ out=[[:digit:]]+$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ freshclam\[[[:digit:]]+\]: DON'T PANIC! Read http://www.clamav.net/support/faq$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ freshclam\[[[:digit:]]+\]: ERROR: NotifyClamd: Can't find or parse configuration file /etc/clamav/clamd.conf$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ freshclam\[[[:digit:]]+\]: WARNING: Local version: [.[:digit:]]+ Recommended version: [.[:digit:]]+$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ freshclam\[[[:digit:]]+\]: WARNING: Your ClamAV installation is OUTDATED!$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ freshclam\[[[:digit:]]+\]: bytecode.cld is up to date \(version: [[:digit:]]+, sigs: [[:digit:]]+, f-level: [[:digit:]]+, builder: [[:alnum:]]+\)
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix/smtpd\[[[:digit:]]+\]: warning: hostname [._[:alnum:]-]+ does not resolve to address [.[:digit:]]+:?.*$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Did not receive identification string from ::ffff:[\.0-9]+$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Disconnecting: Change of username or service not allowed: \([[:alpha:]]+,ssh-connection\) -> \([[:alpha:]]+,ssh-connection\) \[preauth\]$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Disconnecting: bad client public DH value \[preauth\]$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: I(llegal|nvalid) user [^[:space:]]* from ([:.[:xdigit:]]+|UNKNOWN)$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: PAM service(sshd) ignoring max retries; [[:digit:]]+ > [[:digit:]]+$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Received disconnect from [:.[:xdigit:]]+: 11: Goodbye \[preauth\]$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Received disconnect from [:.[:xdigit:]]+: 11: PECL/ssh2 \(http://pecl.php.net/packages/ssh2\) \[preauth\]$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Received disconnect from [:.[:xdigit:]]+: 3: com.jcraft.jsch.JSchException: Auth fail \[preauth\]$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Received disconnect from [:.[:xdigit:]]+: 3: com.jcraft.jsch.JSchException: Auth fail \[preauth\]$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Received disconnect from [\.0-9]+: 11: Bye Bye \[preauth\]$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: error: Received disconnect from [:.[:xdigit:]]+ port [[:digit:]]+:3: com.jcraft.jsch.JSchException: Auth fail \[preauth\]$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: error: Received disconnect from [:.[:xdigit:]]+: 3: com.jcraft.jsch.JSchException: Auth fail \[preauth\]$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: fatal: Read from socket failed: Connection reset by peer \[preauth\]$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: fatal: Unable to negotiate a key exchange method \[preauth\]$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: fatal: Unable to negotiate with [.[:digit:]]{4,15} port [[:digit:]]+: no matching host key type found. Their offer: [-,[:alnum:]]+ \[preauth\]$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: fatal: no matching cipher found: client [,-@.[:alnum:]]+ server [,-.@[:alnum:]]+ \[preauth\]$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: invalid public DH value: <= 1 \[preauth\]$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: subsystem request for sftp by user towo$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd-logind\[[[:digit:]]+\]: (New|Removed) session [[:digit:]]+( of user [[:alpha:]]+)?.$

Yes, that description is only possible in such a fashion because I Am Ze German.

It seems that lately (i.e. as of today maybe)
invalid public DH value: <= 1 [preauth]
Disconnecting: bad client public DH value [preauth]
have become popular again. Feels like some new kind of attack because the amount of spam coming through went up also, any ideas?

Bit more update with the things that cropped up aver the last two years.