I put a post together here that talks a little about tracking windows events. There is more I have behind that with posts on the pipeline and rules I am using, some of which is searchable in the forums.
The Windows Ultimate Security Encyclopedia is a good place to start for what to look for in EventID’s They have a cheat sheet you can pick up there that has some core EventIDs to watch.
I use the Beats log shipper on windows and there are some things you can do to exclude or remove data/messages before the message gets shipped to Graylog. NXlog does that too… I am unfamiliar with it though.
That’s a start - ask any question you want - likely best to start new questions when appropriate so the solutions are searchable for future users. 