If logs have NG as the result of password authentication (action: 01, 02, 11), items protected by passwords may have been attacked.
Failed password authentication (NG) log entries specify who made the operation, and show if unauthorized actions were made when password authentication failed.
Even if password authentication succeeded (OK), you may need to check whether a legitimate user created the action. Careful check is recommended especially when successful authentication occurs after series of failures, or for those made during times other than normal operating hours.