Things to log and audit on an end-user workstation:
- Logins/Logouts
- Using privileged commands
- Starting apps/sessions
- Successful Export to removable media
- Unauthorized access attempts (security logs in event viewer)
- Attempts to access secure objects
- Changes to rights and permissions
- System startup and shutdown
