1) To generate logs, enable logging on the logging tab on the sensor in CSPM. Once you push this configuration change out to the sensor, you will subsequently see the logging daemon running when you do an nrstatus. This information is essentially a text version of what you see in the event viewer.
2) You can also enable "ip logging" on specific signatures. This is essentially a hex dump of 15 minutes (by default) of all the traffic generated for a particular alarm from a particular source. So, if you know that you are receiving a particular attack, you can enable ip logging for that particular signature. The output from the ip loging can be viewed using a freeware sniffer program called "ethereal." CAUTION: Use iplogging judiciously! There is a tendency to enable it for a large number of signatures (hey, I don't want anyone attacking me anytime and if they do, I'm going to get the info and bust them!) . If you enable it carelessly, you may end up collecting so many logs in a short period of time that the automated file archiving daemon (sapd) on the sensor can't keep up.
3) What the folks want at abuse@whatever.com may vary somewhat. You should be able to find out exactly what they want by asking them.
HTH
Jeff