I'm wondering if anyone has tried to set up auditing on databases that are particularly active, and generate a lot of extraneous information in the normal operation of the application. For example, the 'sa' account may be used by the application to create and drop tables, move data around, generating tens of thousands of records in the process. It may also act on behalf of the user, effectively masking who was doing what.
I'm curious what products may have been used, and what kind of filtering you apply. I'm even curious who may have segregated duties to lessen the requirement for monitoring.
The way we've set up auditing is to Create a local windows group and put Global group (which has all the domain users) and grant the loacl group execute permission on sps.
Then Create triggers on the table to capture the users. This has worked fine for us.
Hope this helps