How can I hide failed ssh attempts for users that don't exist?

## The Question How can I exclude inconsequential¹ failed SSH logins? ## Background For ambient awareness, I like to have little background windows showing system error logs on every GNU/Linux box I admin. I used to do this with xconsole, but now use xterm running journalctl -f. Unfortunately, on the machines where ssh is a needed service, the journalctl log is a constant stream of clutter from crackers trying to ssh in with lists of common names/passwords.² I see failures scrolling in every second for accounts that don't even exist. This makes it hard to see anything else in my console log. ## Solutions? I don't know systemd half as well as I ought, so it's possible there's a slick, simple answer, but I haven't found one yet.³ Any solution is welcome. I suspect it's going to entail messing around with pam, journalctl, and/or grep -v. I'm looking for a solution which still shows me attempts against existing accounts. However, if that is too difficult, I'll accept an answer which hides all failed login attempts. ## Journalctl examples Do not show the following:

Dec 12 17:19:21 gaia sshd: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=139.59.90.40  user=root
Dec 12 17:19:21 gaia sshd: Invalid user git from 14.29.201.30
Dec 12 17:19:21 gaia sshd: input_userauth_request: invalid user git [preauth]
Dec 12 17:19:21 gaia sshd: pam_unix(sshd:auth): check pass; user unknown
Dec 12 17:19:21 gaia sshd: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=14.29.201.30
Dec 12 17:19:22 gaia sshd: Invalid user molisoft from 5.135.152.97
Dec 12 17:19:22 gaia sshd: input_userauth_request: invalid user molisoft [preauth]
Dec 12 17:19:22 gaia sshd: pam_unix(sshd:auth): check pass; user unknown
Dec 12 17:19:22 gaia sshd: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=5.135.152.97
Dec 12 17:19:23 gaia sshd: Failed password for root from 139.59.90.40 port 37752 ssh2
Dec 12 17:19:23 gaia sshd: Received disconnect from 139.59.90.40: 11: Bye Bye [preauth]
Dec 12 17:19:23 gaia sshd: Failed password for invalid user git from 14.29.201.30 port 41178 ssh2
Dec 12 17:19:23 gaia sshd: Received disconnect from 14.29.201.30: 11: Bye Bye [preauth]
Dec 12 17:19:24 gaia sshd: Failed password for invalid user molisoft from 5.135.152.97 port 50730 ssh2
Dec 12 17:19:24 gaia sshd: Received disconnect from 5.135.152.97: 11: Bye Bye [preauth]

But do show valid logins:

Dec 10 08:56:16 gaia sshd: Accepted publickey for sophia from 24.22.130.192 port 41610 ssh2: RSA 6b:5f:aa:9c:d8:33:65:2c:c4:0c:88:12:ec:9b:ff:51
Dec 10 08:56:16 gaia sshd: pam_unix(sshd:session): session opened for user sophia by (uid=0)
Dec 10 21:06:37 gaia sshd: pam_unix(sshd:session): session closed for user sophia

Also show failed attempts on valid accounts (other than root):

Dec 12 00:46:28 gaia sshd: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.9.134  user=sophia
Dec 12 00:46:30 gaia sshd: Failed password for sophia from 192.168.9.134 port 55888 ssh2
Dec 12 00:46:33 gaia sshd: Connection closed by authenticating user sophia 192.168.9.134 port 55888 [preauth]

And, of course, any service which is _not_ sshd should be shown.

Dec 10 08:56:16 gaia systemd: Started User Manager for UID 3237.

____ ¹ Defined as "username does not exist" or "username is root". Root ssh is disabled on my boxen. ² I do use fail2ban. It helps, but the attempts are coming from too many IP addresses. ³ E.g., journalctl allows one to grep, but not grep -v to exclude certain criteria.