Oracle未开启审计情况下追踪表变更记录

前端之家收集整理的这篇文章主要介绍了Oracle未开启审计情况下追踪表变更记录前端之家小编觉得挺不错的,现在分享给大家,也给大家做个参考。

运维组的老大打电话说,他们发现有几万笔业务被重新推送了一遍,而且是第三次了,问题还是挺严重的,想要追踪是谁做的误操作,他们有时间段和涉及的表,问有没有办法追踪到。

数据库版本为10.2.0.4。首先想到的是审计功能,但是无奈数据库没有开审计。再次想到的是日志挖掘(LogMiner),但是不确定能不能找到对应操作的用户和主机。在QQ群里提出了这个问题,得到的答案是可以找到,同时也在官方文档中找到了v$logmnr_contents中对就的SESSION_INFO字段:

wKiom1j6tL3yvSJRAAFboRbAd2k773.png

从上面给出的信息可以看出,可以跟踪到执行sql时对应的用户和主机信息。

下面做一个简单的测试,关于LogMiner的简单应用参考:http://www.jb51.cc/article/p-xnhhjtoq-xe.html

sql>execdbms_logmnr.add_logfile(LOGFILENAME=>'/u01/app/oracle/flashback_area/MYDB/archivelog/2017_04_21/o1_mf_1_4_dhn2m29n_.arc',OPTIONS=>dbms_logmnr.new);

PL/sqlproceduresuccessfullycompleted.

sql>execdbms_logmnr.start_logmnr(DICTFILENAME=>'/home/oracle/logminer/dictionary.ora');

PL/sqlproceduresuccessfullycompleted.

sql>coltable_namefora10
sql>colsession_infofora180
sql>setlinesize200
sql>selecttable_name,session_infofromv$logmnr_contentswheretable_name='T1'andrownum<5;

TABLE_NAMESESSION_INFO
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
T1	login_username=ZXclient_info=OS_username=oracleMachine_name=rhel5OS_terminal=pts/0OS_process_id=2596OS_program_name=sqlplus@rhel5(TNSV1-V3)
T1	login_username=ZXclient_info=OS_username=oracleMachine_name=rhel5OS_terminal=pts/0OS_process_id=2596OS_program_name=sqlplus@rhel5(TNSV1-V3)
T1	login_username=ZXclient_info=OS_username=oracleMachine_name=rhel5OS_terminal=pts/0OS_process_id=2596OS_program_name=sqlplus@rhel5(TNSV1-V3)
T1	login_username=ZXclient_info=OS_username=oracleMachine_name=rhel5OS_terminal=pts/0OS_process_id=2596OS_program_name=sqlplus@rhel5(TNSV1-V3)

从上面的查询可以看出可以从日志中挖掘出用户和主机信息。


v$logmnr_contents:http://docs.oracle.com/cd/B19306_01/server.102/b14237/dynviews_1154.htm#REFRN30132

LogMiner:http://docs.oracle.com/cd/B19306_01/server.102/b14215/logminer.htm#sthref1875


如果遇到USERNAME和SESSION_INFO为NULL或UNKNOWN参考如下:

Column USERNAME And SESSION_INFO Are UNKNOWN Or NULL In V$LOGMNR_CONTENTS (文档 ID 110301.1)

CAUSE@H_404_29@
  1. If supplemental logging was not active at the time when the redo records were created,then LogMiner won't be able to obtain all the required information. TheOracle Database Utilities manualmentions:

    By default,Oracle Database does not provide any supplemental logging,which means that by default LogMiner is not usable. Therefore,you must enable at least minimal supplemental logging prior to generating log files which will be analyzed by LogMiner.

    So,we have to enable supplemental logging by using a sql statement similar to the following:

    sql> CONNECT / AS SYSDBA
    sql> ALTER DATABASE ADD SUPPLEMENTAL LOG DATA;


    Then the information necessary to populate theUSERNAMEandSESSION_INFOcolumns will be stored in the redo stream.

  2. The redo stream does not contain theUSERNAMEandSESSION_INFOdata for every transaction. This information is only stored for the first transaction executed in the user's session. So in order to be able to see this information inV$LOGMNR_CONTENTS,all the redo generated during the entire session must be added to the mining session. Should this not be done,then theUSERNAMEandSESSION_INFOcolumns will remain empty.

  3. LogMiner was first available in Oracle8i. If theCOMPATIBLEinstance parameter is set to a value lower than 8.1.0 you will not have access to its full functionality.

  4. In Oracle9i and lower releases of Oracle,theTRANSACTION_AUDITINGinstance parameter is set to TRUE by default. This causes the generation of a redo record containing the user logon name,username,session ID,and some operating system and client information. For each successive transaction in the session,Oracle will store only the session ID. These session IDs are linked back to the first record to retrieve user and session information.

    WhenTRANSACTION_AUDITINGis set to FALSE,this redo record is not written and the user information is not available to LogMiner.

SOLUTION@H_404_29@

This can result from your database parameter settings and also from the method you are using to mine redo logs using LogMiner.

  1. Ensure that database was in minimum supplemental logging at the time that the redo information was created:

    sql> SELECT name,supplemental_log_data_min FROM v$database;

    NAMESUPPLEME
    ------------------------------ --------
    M10202WAYES

  2. Ensure that all archive redo logs containing the necessary redo information have been added to the LogMiner session.

  3. Ensure that the COMPATIBLE initialization parameter is set to 8.1.0 or higher.

    sql> show parameter compatible

    NAMETYPEVALUE
    ------------------------------------ ----------- ----------
    compatiblestring10.2.0.2.0

  4. For Oracle8i and Oracle9i only: ensure that theTRANSACTION_AUDITINGinstance parameter is set to TRUE (default).

    sql> show parameter transaction_auditingNAMETYPEVALUE------------------------------------ ----------- ----------transaction_auditingbooleanTRUE

原文链接:https://www.f2er.com/oracle/209527.html

猜你在找的Oracle相关文章