Create database permission is logged to the Audit log when you run RESTORE VERIFYONLY
This article provides more information on why a CREATE DATABASE
event can be logged when server audit is specified on a SQL Server instance.
Original product version: Microsoft SQL Server 2014, SQL Server 2016, SQL Server 2017 on Linux, SQL Server 2017 on Windows
Original KB number: 4502458
Symptoms
Assume that you set up a SQL Server audit to have a server audit specification that uses the DATABASE_CHANGE_GROUP
event. When a user runs RESTORE VERIFYONLY
on a database backup file, the CREATE DATABASE
permission is logged to the Audit log.
Cause
The CREATE DATABASE
permission is required to run RESTORE VERIFYONLY
. When that permission is checked, a corresponding event is logged to the Audit log for the DATABASE_CHANGE_GROUP
audit specification.
Workaround
To work around this issue, use a query such as the following to filter the Audit log records that are related to running RESTORE VERIFYONLY
:
select * from fn_get_audit_file('C:\path\to\file.sqlaudit', default, default) where statement NOT LIKE '%RESTORE VERIFYONLY%'