We would like to just collect Security logs from various Windows servers [2012, 2016, 2019, 2022], however, I'm unsure of what "Default Syslog Facility" I should use.
I've seen people suggest Kernel (messages), Log (alert), and Security/authorization messages. Is there a preference or requirement when collecting security events?
Also, is there a list off "security event ID" that we should focus on or just collect everything?
Thanks in advance.