how do you detect what (site/service/stored procedure) is making call to SQL Server 2005 using the sa login?

i was just wonderi开发者_高级运维ng if anybody knows how to detect what is calling the sa login on my sql server 2005. I have a stack of websites and i swear i configured these with a different user id and password but my event viewer logs tell me that something is constantly trying to login using the sa credentials. Any help would be appreciated.

run profiler, create a new trace, use event audit login and audit login failed you can filter for username sa if you want

see image below

See also this post by onpnt: To SA or not to SA

you could also use a Logon Trigger but that will only fire if the authentication is succesful

If they are successfully connected then you can look in sys.dm_exec_connections, this will at least tell you the client_net_address (IP address as reported to Windows). You can also look at PROGRAM_NAME and HOST_NAME in sys.dm_exec_sessions, but be aware that these are not necessarily populated, and are easy to spoof.