One struggle i have is what type of alert (incidents and/or email notification). We have seen occasions where auditors see the incident but ask if an email also went out.
Requirements are a good indicator of what to monitor (i.e. PCI). As far as nonagent devices, definitely try to capture admin activity. Syslog docs have the logs grouped to assist.