Oracle未開啟審計情況下追蹤表變更記錄

標籤：oracle 審計

營運組的老大打電話說，他們發現有幾萬筆業務被重新推送了一遍，而且是第三次了，問題還是挺嚴重的，想要追蹤是誰做的誤操作，他們有時間段和涉及的表，問有沒有辦法追蹤到。

資料庫版本為10.2.0.4。首先想到的是審計功能，但是無奈資料庫沒有開審計。再次想到的是日誌挖掘(LogMiner)，但是不確定能不能找到對應操作的使用者和主機。在QQ群裡提出了這個問題，得到的答案是可以找到，同時也在官方文檔中找到了v$logmnr_contents中對就的SESSION_INFO欄位：

650) this.width=650;" src="https://s4.51cto.com/wyfs02/M01/92/08/wKiom1j6tL3yvSJRAAFboRbAd2k773.png" title="1.png" alt="wKiom1j6tL3yvSJRAAFboRbAd2k773.png" />從上面給出的資訊可以看出，可以跟蹤到執行sql時對應的使用者和主機資訊。

下面做一個簡單的測試，關於LogMiner的簡單應用參考：http://hbxztc.blog.51cto.com/1587495/1871934

SQL> exec dbms_logmnr.add_logfile(LOGFILENAME=>‘/u01/app/oracle/flashback_area/MYDB/archivelog/2017_04_21/o1_mf_1_4_dhn2m29n_.arc‘,OPTIONS=>dbms_logmnr.new);PL/SQL procedure successfully completed.SQL> exec dbms_logmnr.start_logmnr(DICTFILENAME=>‘/home/oracle/logminer/dictionary.ora‘);PL/SQL procedure successfully completed.SQL> col table_name for a10 SQL> col session_info for a180SQL> set linesize 200SQL> select table_name,session_info from v$logmnr_contents where table_name=‘T1‘ and rownum < 5;TABLE_NAME SESSION_INFO---------- ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------T1   login_username=ZX client_info= OS_username=oracle Machine_name=rhel5 OS_terminal=pts/0 OS_process_id=2596 [email protected] (TNS V1-V3)T1   login_username=ZX client_info= OS_username=oracle Machine_name=rhel5 OS_terminal=pts/0 OS_process_id=2596 [email protected] (TNS V1-V3)T1   login_username=ZX client_info= OS_username=oracle Machine_name=rhel5 OS_terminal=pts/0 OS_process_id=2596 [email protected] (TNS V1-V3)T1   login_username=ZX client_info= OS_username=oracle Machine_name=rhel5 OS_terminal=pts/0 OS_process_id=2596 [email protected] (TNS V1-V3)

從上面的查詢可以看出可以從日誌中挖掘出使用者和主機資訊。

v$logmnr_contents:http://docs.oracle.com/cd/B19306_01/server.102/b14237/dynviews_1154.htm#REFRN30132

LogMiner:http://docs.oracle.com/cd/B19306_01/server.102/b14215/logminer.htm#sthref1875

如果遇到USERNAME和SESSION_INFO為NULL或UNKNOWN參考如下：

Column USERNAME And SESSION_INFO Are UNKNOWN Or NULL In V$LOGMNR_CONTENTS (文檔 ID 110301.1)

CAUSE

1. If supplemental logging was not active at the time when the redo records were created, then LogMiner won‘t be able to obtain all the required information. The Oracle Database Utilities manual mentions:
   

   By default, Oracle Database does not provide any supplemental logging, which means that by default LogMiner is not usable. Therefore, you must enable at least minimal supplemental logging prior to generating log files which will be analyzed by LogMiner.

   So, we have to enable supplemental logging by using a SQL statement similar to the following:
   

   SQL> CONNECT / AS SYSDBA
   SQL> ALTER DATABASE ADD SUPPLEMENTAL LOG DATA;

   
   Then the information necessary to populate the USERNAME and SESSION_INFO columns will be stored in the redo stream.
   
   

2. The redo stream does not contain the USERNAME and SESSION_INFO data for every transaction. This information is only stored for the first transaction executed in the user‘s session. So in order to be able to see this information in V$LOGMNR_CONTENTS, all the redo generated during the entire session must be added to the mining session. Should this not be done, then the USERNAME and SESSION_INFO columns will remain empty.
   
   

3. LogMiner was first available in Oracle8i. If the COMPATIBLE instance parameter is set to a value lower than 8.1.0 you will not have access to its full functionality.
   
   

4. In Oracle9i and lower releases of Oracle, the TRANSACTION_AUDITING instance parameter is set to TRUE by default. This causes the generation of a redo record containing the user logon name, username, session ID, and some operating system and client information. For each successive transaction in the session, Oracle will store only the session ID. These session IDs are linked back to the first record to retrieve user and session information.
   
   When TRANSACTION_AUDITING is set to FALSE, this redo record is not written and the user information is not available to LogMiner.

SOLUTION

This can result from your database parameter settings and also from the method you are using to mine redo logs using LogMiner.

1. Ensure that database was in minimum supplemental logging at the time that the redo information was created:
   

   SQL> SELECT name, supplemental_log_data_min FROM v$database;
   
   NAME                           SUPPLEME
   ------------------------------ --------
   M10202WA                       YES

2. Ensure that all archive redo logs containing the necessary redo information have been added to the LogMiner session.
   
   

3. Ensure that the COMPATIBLE initialization parameter is set to 8.1.0 or higher.
   

   SQL> show parameter compatible
   
   NAME                                 TYPE        VALUE
   ------------------------------------ ----------- ----------
   compatible                           string      10.2.0.2.0

4. For Oracle8i and Oracle9i only: ensure that the TRANSACTION_AUDITING instance parameter is set to TRUE (default).
   

   SQL> show parameter transaction_auditing
   
   NAME                                 TYPE        VALUE
   ------------------------------------ ----------- ----------
   transaction_auditing                 boolean     TRUE

本文出自 “DBA Fighting!” 部落格，請務必保留此出處http://hbxztc.blog.51cto.com/1587495/1918407

Oracle未開啟審計情況下追蹤表變更記錄