When you create a server audit, one of the things that might surprise you is that the audit doesn’t record data. So you create an audit for failed logins, as I did recently. You then login:

Using a bad password will get you this:

When you check the logs

you see:

What’s wrong? By default, when you create an audit, it isn’t enabled, so no data gets logged. You can enable it easily:

And then when you have a failed login:

You’ll find data in the logs:

It’s a small detail, but one you want to keep in mind as you create audits. Be sure that they are enabled before you walk away from your production systems.