Log Forwarder Version 1.2.0.114 and Security Logs

We would like to just collect Security logs from various Windows servers [2012, 2016, 2019, 2022], however, I'm unsure of what "Default Syslog Facility" I should use.

I've seen people suggest Kernel (messages), Log (alert), and Security/authorization messages. Is there a preference or requirement when collecting security events?

Also, is there a list off "security event ID" that we should focus on or just collect everything?

Thanks in advance.