1. https://plaso.readthedocs.io/en/latest/

Server and workstation operating system logs
• Application logs (e.g.,web server,database server)
• Security tool logs (e.g., anti-virus, change detection, intrusion detection/prevention system)
• Outbound proxy logs and end-user application logs
• Remember to consider other, non-log sources for security events.

User logon/logo! events Successful logon 528, 540;
failed logon 529-537, 539; logo! 538, 551, etc
User account changes Created 624; enabled 626;
changed 642; disabled 629; deleted 630
Password changes To self: 628; to others: 627
Service started or stopped 7035, 7036, etc.
Object access denied 560, 567, etc
(if auditing enabled)

Successful user login “Accepted password”, “Accepted publickey”, “session opened”
Failed user login “authentication failure”, “failed password”
User log-off “session closed”
User account change “password changed”, “new user”, “delete user” or deletion
Sudo actions “sudo: … COMMAND=…” “FAILED su”
Service failure “failed” or “failure”

refrence: https://www.sans.org/brochure/course/log-management-in-depth/6

smtpd_client_message_rate_limit = 2
anvil_rate_time_unit = 60s

The above settings will allow a given user to send a maximum of two messages per minute. Note that the anvil_rate_time_unit setting is also used to control other timeouts.

cryptsetup -s 512 -y luksFormat /dev/sda2

cryptsetup luksOpen /dev/sda2 slackcrypt

umount /mnt service udev stop lvchange -a n <LV-name> cryptsetup luksClose <LUKS-devicename> service udev start

privacyIDEA  + google-authtication(FreeOTP ) + FreeIPA