Based on our Template Connector Profile for Windows Server 2008/2012 with the DC role, I'd suggest you set up these connectors at a minimum for your DCs:
The other part of this is going to be, what are you auditing?
On your Domain Controllers, open a command prompt (and assuming you're on 2K8 or 2K12) enter this command:
auditpol /get /category:*
If it returns a lot of "No auditing" then your policy isn't set to generate events for a lot of things. At the least, you probably want to look at:
auditpol /get /category:"Account Logon"
auditpol /get /category:"DS Access"
auditpol /get /category:"Logon/Logoff"
To see if you're even capturing the events you want to see in the LEM.