You can only use the auditing feature effectively if you develop an audit policy that both generates the events that you are interested in seeing and generates few enough events that you can effectively manage the resultant logs.

Many administrators who have not yet used the feature start by enabling all audit policy, only to be dismayed in short order by the large volume of events that is generated.

As with any other form of security policy, the most effective results are usually achieved by analyzing the security threats that concern you the most and deploying the correct policy settings to mitigate that threat.

The temptation is strong to select audit policy settings as you might select things from a mail-order catalog ...