Just to comment on the logging part of your post....
Whenever I do a new install for a customer, I intentionally get them started by logging everything. Literally, set the Event filtering off. Then use the sudden and painful tidal wave of data to demonstrate how to write queries to purge event data and why or why not filtering certain events out completely would be a bad idea.
Most customers ultimately decide that they can write a few queries to handle the chatty informational events like 'service started' and 'scan completed'. It is generally much better to let customers determine what their comfort level is regarding purging/filtering data. There is no blanket rule for this.
In general, low severity events wind up being purged at an interval long enough to allow troubleshooting. sometimes just a few days or a week. Then from there it's a question of what the database server can handle. If you do incremental backup daily, and do a weekly full backup\rebuild\reindex then you should be in fairly good shape.
Oh yeah! And of course, please consider all company policies and govermnent-mandated logging requirements for the retention of data regarding security incidents.
Corporate Headquarters
6220 America Center Drive
San Jose, CA 95002 USA