Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
This article provides more information on why a CREATE DATABASE event can be logged when server audit is specified on a SQL Server instance.
Original product version: Microsoft SQL Server 2014, SQL Server 2016, SQL Server 2017 on Linux, SQL Server 2017 on Windows
Original KB number: 4502458
Symptoms
Assume that you set up a SQL Server audit to have a server audit specification that uses the DATABASE_CHANGE_GROUP event. When a user runs RESTORE VERIFYONLY on a database backup file, the CREATE DATABASE permission is logged to the Audit log.
Cause
The CREATE DATABASE permission is required to run RESTORE VERIFYONLY. When that permission is checked, a corresponding event is logged to the Audit log for the DATABASE_CHANGE_GROUP audit specification.
Workaround
To work around this issue, use a query such as the following to filter the Audit log records that are related to running RESTORE VERIFYONLY:
select * from fn_get_audit_file('C:\path\to\file.sqlaudit', default, default) where statement NOT LIKE '%RESTORE VERIFYONLY%'