To answer a couple of questions (Thanks for translating @gsmith )
-
TCP and UDP are both available because some devices only will do one of those. UDP is faster communication because it doesn’t ensure that data packets get to the destination… so small chance you might loose bits of info in network hiccups but only relevant in large/rare situations… I would say prefer TCP but it doesn’t matter too much.
-
You can find all sorts of info in the community by searching there is a great section here that is starting to grow snippets of information such as winlogbeats to capture Windows account locking
-
You can find some great detail on key windows log information here They also have a full encyclopedia
-
Graylog maintains a preferred schema of naming conventions etc. But you can follow it as you are parsing out messages to make sure you have data consistency for everything that you are pulling in.