In the need to centralize logs we have selected syslog as the collector and Splunk (free for now) as the analysis tool, but there's always the question about which events should get to the central repository and from which systems.
The selection should address only those logs of interest from a security point of view.
Which logs do you centralize and how do you select them?
The answers should indicate types of devices, systems or software, types of logs/events and the reason for choosing them.
Windows:
On Linux:
Generally you want to monitor:
These will be the most important logs to monitor, and the most telling using splunk.
A log system is only as good as the time source. Using NTP and making sure all your servers are set to the same time zone will make your job ten times easier. I like to set my BIOS clocks to UTC and then set the OS to the local time zone.
EDIT: This is now a wiki. Add your own advice!
All logs are of interest for security purposes. At least they are on a unix/lnx box.
On Linux you might as well send everything from syslog to the central collector and analyze for patterns. You never know what you will need ahead of time and you may find yourself missing some information if you only include certain services. While there are general guidelines as to which facility a particular type of application should be logging to, there's no hard and fast rules.
If an application of interest writes its own log files, I usually ingest those in to the syslog daemon as well and forward them to the central collector.
This is useful not only for security purposes but also for finding configuration errors as well as hardware and software faults.
It really depends on what you are trying to detect.
If you are looking for resource access then (eg. payroll files, product documents):
If you are looking for external access then:
Again, first determine what you want to detect and then go for the logs that can show you who what and where the information/resource was accessed. Then go for the next one. From experience if you just want everything you will fail in getting the detection you need for anything.
This is far to general a question.
You should already know which logs you need to feed into splunk. What logs do you search through by hand when looking for security events? Those are the ones you need to feed into splunk.