Do you get log entries that look like this?
Jun 29 10:40:31 www systemd-logind[329]: New session 3264 of user foo.
Jun 29 10:40:31 www systemd: pam_unix(systemd-user:session): session opened for user foo by (uid=0)
Jun 29 10:40:31 www systemd[1]: Starting user-1000.slice.
Jun 29 10:40:31 www systemd[1]: Created slice user-1000.slice.
Jun 29 10:40:31 www systemd[1]: Starting Session 3264 of user foo.
Jun 29 10:40:31 www systemd[1]: Started Session 3264 of user foo.
Jun 29 10:40:31 www systemd[1]: Starting User Manager for UID 1000...
Jun 29 10:40:31 www systemd[16056]: Starting Paths.
Jun 29 10:40:31 www systemd[16056]: Reached target Paths.
Jun 29 10:40:31 www systemd[16056]: Starting Timers.
Jun 29 10:40:31 www systemd[16056]: Reached target Timers.
Jun 29 10:40:31 www systemd[16056]: Starting Sockets.
Jun 29 10:40:31 www systemd[16056]: Reached target Sockets.
Jun 29 10:40:31 www systemd[16056]: Starting Basic System.
Jun 29 10:40:31 www systemd[16056]: Reached target Basic System.
Jun 29 10:40:31 www systemd[16056]: Starting Default.
Jun 29 10:40:31 www systemd[16056]: Reached target Default.
Jun 29 10:40:31 www systemd[16056]: Startup finished in 13ms.
Jun 29 10:40:31 www systemd[1]: Started User Manager for UID 1000.
Jun 29 10:40:31 www console-kit-daemon[1489]: missing action
Jun 29 10:40:32 www systemd-logind[329]: Removed session 3264.
Jun 29 10:40:32 www systemd: pam_unix(systemd-user:session): session closed for user foo
I got hundreds upon hundreds of kilobytes of logspam like that and I wanted to solve the root cause, not just ignore it in logcheck. I happened to stumble upon the solution on LinuxQuestions.org, and promptly made a fool out of myself there, too. One solution is to enable lingering for user accounts that have cronjobs. For root, that would be: loginctl enable-linger root
Since I searched for quite some time but this didn’t come up immediately, I’m putting it here to increase findability.