Best Practices | Microsoft Windows Security Resource Kit

Best Practices

Determine which events should be recorded.
Work with business and technical decision makers to ensure that all actions and operations that should be audited are audited. Because auditing does result in performance degradation, you should audit only for events that you believe you might need to refer to in the future.
Synchronize the time on all computers and network devices.
To correlate events that take place on different computers and network devices, you must ensure that the time is synchronized. Ideally, all computers and devices should be synchronized with the same time source.
Create a baseline of events.
Create a baseline of security events under normal conditions that can be used later for comparisons with possible suspicious behavior. Without being able to refer to a baseline log file, it is often difficult to distinguish between events that are innocuous and those that are malicious.
Monitor log files for suspicious behavior.
For auditing to be an effective security measure, you must monitor the audit log files for suspicious behavior. You might also want to use a test environment to stage common attacks and analyze the audit log files. This will enable you to better detect common attacks on the production environment. You should consider using automated software or writing custom scripts to parse event files for common events that indicate suspicious behavior.