This video @ 1:20 shows an example of configuring Active Directory with LEM - [VIDEO] How To Use Log and Event Manager to Alert on Unauthorized Access - it's about something else before/after that, but it does show an example. The easiest way is to use the Getting Started widget tools from Ops Center to configure basic settings, which includes the active directory connection. Then, from Build>Groups, you can select the groups you want to use in LEM. Theeeeen, from Build>Rules you can use these groups in rules, to do something like:
UserLogon.DestinationAccount = <domain admins>
and
UserLogon.LogonType = *interactive* (if you only want to see interactive or remote desktop logons, not network or service logons - if you want to see everything you can leave this off)
To create a local logons rule, the easiest thing to do is to look for logons not to your domain/domains. For example:
UserLogon.DestinationDomain <> <your domain>
and
UserLogon.LogonType = *interactive* (to only see interactive logons)
You shouldn't need to refine by the Event ID, but you can always use the ProviderSID field if you need to.