If you go to MANAGE > Nodes view of the web console, what is the status of the AD node? If you status is 'green', double click on the node and it should show you the list of enabled connectors. Security log should be one of the connectors that is enabled by default.
Also, can you check the license status of your LEM appliance (Go to MANAGE > Appliances view in the web console)
Based on our Template Connector Profile for Windows Server 2008/2012 with the DC role, I'd suggest you set up these connectors at a minimum for your DCs:
The other part of this is going to be, what are you auditing?
On your Domain Controllers, open a command prompt (and assuming you're on 2K8 or 2K12) enter this command:
auditpol /get /category:*
If it returns a lot of "No auditing" then your policy isn't set to generate events for a lot of things. At the least, you probably want to look at:
auditpol /get /category:"Account Logon"
auditpol /get /category:"DS Access"
auditpol /get /category:"Logon/Logoff"
To see if you're even capturing the events you want to see in the LEM.