Before you start logging you will need proper auditing in place for your Windows and Linux machines. You need figure out what regulatory compliance you might have to follow. Netikus has built an awesome page to check your auditing settings against different frameworks. Audit Policy Compliance Validator
First preparation needs to be set via GPO by setting the max security log size and so that the machines use the “Advanced Audit Configuration” instead of the legacy style.
GPO -> Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Event Log
GPO -> Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Local Policies -> Security Options
These are some of the other recommend settings to see the full commands being input into the command line and powershell (EDR solutions will also grab this info without GPOs involved)
GPO -> Computer Configuration -> Policies -> Admin Templates -> System -> Audit Process Creation
Optional: This area can be used to set max log file size for the application, security, and system log files if needed. GPO -> Computer Configuration -> Policies -> Admin Templates -> Windows Components -> Event Log Service
GPO -> Computer Configuration -> Policies -> Admin Templates -> Windows Components -> Windows PowerShell
To setup auditing in Windows environment, you should be applying settings via GPO. I would recommend 3-4 policies. One for domain controllers, servers, and workstations. GPO -> Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Advanced Auditing -> Audit Policies. You can add a fine tuned auditing policies for file shares and apply it via GPO with a security filter and target the computer accounts in a security group. I have created an excel spread sheet with tabs that apply to each policy that might need to be created.
Extra Auditing Steps
To audit registry keys for logging purposes you would need to modify specific SACLS which can be pushed out via GPO. GPO -> Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Registry. Example: if I wanted to see if someone creates, sets, or deletes a value for CurrentVersion\Run, Add a key for CurrentVersion\Run
For Linux systems you should visit the Syslog page