That's a very broad question with no easy answer. Usually security detection devices and software systems will correlate different logs from different sources to find potential threats, but there's not really an exact science, one-size-fits-all solution or answer.
For example, logging failed login attempts to a server or domain user account or any other device that logs authorization messages doesn't really tell you much. Some people only log the failed attempts, but that won't tell you if an attacker actually succeeds in logging in. So you have to do two things... First, you need to have a time-frame context for the failed login attempts and you have to cache them so that you also begin looking for successful login attempts to the same device/account. That would throw up a red flag if Suzy from Accounting was trying to log in at 3am, failed 4 or 5 times and then succeeded, but if it happened at 2pm, you'd have to ask Suzy if she forgot her password.
It's the same kind of thing with any other log. Browsing the internet and downloading software may be malicious, or may be a normal course of business for one department or another.
Kiwi out of the box isn't a security detection solution. Forensically, if you're logging everything and you know what you're looking for you can find things after the fact, but if you don't even know where to start, this is not the solution you are looking for in regards to intrusion detection. It's an amazingly versatile and powerful log collector that has the potential to be configured for more, but I wouldn't use it as my sole intrusion detection solution. Solarwinds has much better offerings for log correlation.
To answer your question though, what to log to see what they have done? Everything. Default logging on your ASA or other firewall device may not be enough, for example. Configuration changes weren't logged right out of the box when I got my first 5510, so I could tell when admins were logging in, but not what they were changing without adjusting the logging options.