I have created several Audits in the past, using the SQL Server Audit feature in v2008 forward, but never for auditing login activity. All I need to do is audit who is coming in with the 'sa' account. I do not care about sysadmin, I am explicitly looking for 'sa' logins. I just want to know when it is being done, and from which hostname.
It is v2012. Is there a way to use a filter in the specification, to only track the success/failures for the 'sa' login ?
CREATE SERVER AUDIT SPECIFICATION audit_spec_name
FOR SERVER AUDIT [auditname]