On "Auditing Security Events 'Best Practices'"

Here is dated, but still insightful doc on "Auditing Security Events 'Best Practices'." It covers event log collection and analysis, as recommended by Microsoft (the list is sadly incomplete - there is certainly much more stuff to look at in the Event Log). Example recommendations:

• Audit success and failure events in the system event category

• Audit success events in the policy change event category on domain controllers

• Audit success events in the account management event category

• Audit success events in the logon event category

Want more? Read the doc.