Ensuring that the SQL Server Audit is set to capture both the failed and the successful logins

SQL Server Audit is capable of capturing both the failed and the successful logins and writing them to one of the three places: the application event log, the security event log, or the file system. Use the SQL server audit option to capture any login attempt to the SQL Server, as well as any attempts to change the audit policy. This also serves to be a second source to the record failed login attempts.

Execute a code similar to:

 CREATE SERVER AUDIT TrackLogins 
            TO APPLICATION_LOG; 
            GO 
            CREATE SERVER AUDIT SPECIFICATION TrackAllLogins 
            FOR SERVER AUDIT TrackLogins 
            ADD (FAILED_LOGIN_GROUP), 
            ADD (SUCCESSFUL_LOGIN_GROUP), 
            ADD (AUDIT_CHANGE_GROUP) 
            WITH (STATE = ON); 
            GO 
            ALTER SERVER AUDIT TrackLogins 
            WITH (STATE = ON); 
            GO