生产环境中考虑到数据库的性能问题,很少会打开数据的审计功能,应用层也不会记录SQL的执行信息;但是生产上经常会遇到某张表的某几条被修改掉,但是应用又查不到是哪个接口修改的记录,这时候Logminer 就派上用场了。
Logminer 8i之后的一款免费日志分析工具:通过分析在线日志文件或者归档日志文件,返回数据库DDL/DML操作语句、执行时间、用户等等可以追查的信息,快速定位问题。
使用Logminer 工具,数据库需要开启强制日志和归档模式
数据库配置
# 开启强制日志模式
# 查看当前数据库日志模式
SQL> SELECT supplemental_log_data_min, force_logging FROM v$database;
# 如果返回结果为NO,则
SQL> ALTER DATABASE ADD SUPPLEMENTAL LOG DATA;
SQL> ALTER DATABASE FORCE LOGGING;
# 确认是否已经修改,输出为YES
SQL> SELECT supplemental_log_data_min, force_logging FROM v$database;
# 切换系统日志
SQL> ALTER SYSTEM SWITCH LOGFILE;
# 数据库处于归档模式
SQL> archive log list
Database log mode Archive Mode
Automatic archival Enabled
Archive destination USE_DB_RECOVERY_FILE_DEST
Oldest online log sequence 107
Next log sequence to archive 109
Current log sequence 109
# 默认归档日志路径
SQL> show parameter db_recover
NAME TYPE VALUE
------------------------------------ ----------- ------------------------------
db_recovery_file_dest string /u01/app/oracle/fast_recovery_area
db_recovery_file_dest_size big integer 4977M
# 若数据库处于非归档模式,则需要
# 干净的关闭掉数据库
SQL> shutdown immediate
# 打开至mount状态
SQL> startup mount
# 设置为归档模式
SQL> alter database archivelog;
# 开启数据库
SQL> alter database open;
Logminer 配置
# 首先安装 logminer 使用到的包,将创建用于分析的过程和视图
SQL> @$ORACLE_HOME/rdbms/admin/dbmslm.sql
SQL> @$ORACLE_HOME/rdbms/admin/dbmslmd.sql
# 参数配置,用于创建字典文件
SQL> show parameter utl
NAME TYPE VALUE
------------------------------------ ----------- ------------------------------
utl_file_dir string /u01/app/oracle/logminer
# 如果VALUE 为 NULL,那么需要在线修改并重启实例生效
SQL> alter system set utl_file_dir='/u01/app/oracle/logminer' scope=spfile;
# 创建字典文件
SQL> CREATE DIRECTORY utlfile AS '/u01/app/oracle/logminer';
SQL> EXECUTE dbms_logmnr_d.build(dictionary_filename => 'dictionary.ora', dictionary_location =>'/u01/app/oracle/logminer');
SQL> !ls /u01/app/oracle/logminer
dictionary.ora
对测试数据表进行操作
# 创建临时表
SQL> create table u_logminer.dba_objects as select * from all_objects;
# 更新操作
SQL> select status,owner,object_name from U_LOGMINER.dba_objects where owner = 'U_LOGMINER';
STATUS OWNER OBJECT_NAME
------- ------------------------------ --------------------
INVALID U_LOGMINER ALL_OBJECTS
INVALID U_LOGMINER ALL_OBJECTS
INVALID U_LOGMINER ALL_OBJECTS
INVALID U_LOGMINER ALL_OBJECTS
# update 更新
SQL> update U_LOGMINER.dba_objects set STATUS = 'VALID' where owner = 'U_LOGMINER';
4 rows updated.
SQL> commit;
Commit complete.
SQL> select status,owner,object_name from U_LOGMINER.dba_objects where owner = 'U_LOGMINER';
STATUS OWNER OBJECT_NAME
------- ------------------------------ --------------------
VALID U_LOGMINER ALL_OBJECTS
VALID U_LOGMINER ALL_OBJECTS
VALID U_LOGMINER ALL_OBJECTS
VALID U_LOGMINER ALL_OBJECTS
# insert 插入
SQL> insert into U_LOGMINER.dba_objects select * from dba_objects where owner = 'U_LOGMINER';
4 rows created.
SQL> commit;
Commit complete.
SQL> select status,owner,object_name from U_LOGMINER.dba_objects where owner = 'U_LOGMINER';
STATUS OWNER OBJECT_NAME
------- ------------------------------ --------------------
VALID U_LOGMINER ALL_OBJECTS
VALID U_LOGMINER ALL_OBJECTS
VALID U_LOGMINER ALL_OBJECTS
VALID U_LOGMINER ALL_OBJECTS
VALID U_LOGMINER ALL_OBJECTS
VALID U_LOGMINER ALL_OBJECTS
VALID U_LOGMINER ALL_OBJECTS
VALID U_LOGMINER ALL_OBJECTS
8 rows selected.
# delete 删除
SQL> delete from U_LOGMINER.dba_objects where owner = 'U_LOGMINER';
8 rows deleted.
SQL> commit;
Commit complete.
使用Logminer 分析归档日志
# 添加日志文件进行分析,第一个文件 dbms_logmnr.NEW,后面的文件dbms_logmnr.ADDFILE
SQL> BEGIN
2 dbms_logmnr.add_logfile(logfilename=>'/u01/app/oracle/fast_recovery_area/ORCL/archivelog/2017_08_19/o1_mf_1_106_dshlmn6r_.arc',options=>dbms_logmnr.NEW);
3 dbms_logmnr.add_logfile(logfilename=>'/u01/app/oracle/fast_recovery_area/ORCL/archivelog/2017_08_19/o1_mf_1_107_dshlmoo2_.arc',options=>dbms_logmnr.ADDFILE);
4 dbms_logmnr.add_logfile(logfilename=>'/u01/app/oracle/fast_recovery_area/ORCL/archivelog/2017_08_19/o1_mf_1_108_dshm5n1x_.arc',options=>dbms_logmnr.ADDFILE);
5 end;
6 /
PL/SQL procedure successfully completed.
# 开始分析,当前是完整分析日志文件的内容,可以操作时间、SCN等过滤需要分析的内容
SQL> EXECUTE dbms_logmnr.start_logmnr(dictfilename =>'/u01/app/oracle/logminer/dictionary.ora');
# 或者
SQL> EXECUTE dbms_logmnr.start_logmnr(DictFileName =>'/u01/app/oracle/logminer/dictionary.ora', StartTime =>to_date('2017-8-19 00:00:00','YYYY-MM-DD HH24:MI:SS'),EndTime =>to_date('2017-8-19 17:00:00','YYYY-MM-DD HH24:MI:SS '));
# 或者
SQL>
SQL> EXECUTE dbms_logmnr.start_logmnr(DictFileName =>'/u01/app/oracle/logminer/dictionary.ora', StartScn>=20, EndScn<= 50);
PL/SQL procedure successfully completed.
# 结果放在视图中,注意当会话结束,临时表会被删除
SQL> SELECT count(*) FROM v$logmnr_contents;
COUNT(*)
----------
42118
# 将临时表数据备份至物理表中
SQL> create table u_logMIner.logminer_tmp as select * from v$logmnr_contents;
Table created.
日志文件分析完成,接下来就看看对表到底做了什么操作
# 根据事务开始时间进行排序,查询数据表的变更记录
SQL > SELECT START_TIMESTAMP,COMMIT_TIMESTAMP,sql_redo,sql_undo,machine_name,os_username,username,table_name FROM u_logMIner.logminer_tmp WHERE username='U_LOGMINER' AND table_name='DBA_OBJECTS' order by START_TIMESTAMP;
# sql_redo 更改数据的SQL
# sql_undo 回滚数据的SQL
# machine_name,os_username,username 三位一体定位执行更新的机器、数据库用户名
# 如下:
SQL> SELECT sql_redo FROM u_logMIner.logminer_tmp WHERE username='U_LOGMINER' AND table_name='DBA_OBJECTS' order by START_TIMESTAMP;
SQL_REDO
--------------------------------------------------------------------------------
update "U_LOGMINER"."DBA_OBJECTS" set "STATUS" = 'INVALID' where "STATUS" = 'VAL
ID' and ROWID = 'AAAD8EAAIAAAAJAAAf';
update "U_LOGMINER"."DBA_OBJECTS" set "STATUS" = 'INVALID' where "STATUS" = 'VAL
ID' and ROWID = 'AAAD8EAAIAAAAKHAAv';
…………
# 如下:
SQL> SELECT sql_undo FROM u_logMIner.logminer_tmp WHERE username='U_LOGMINER' AND table_name='DBA_OBJECTS' order by START_TIMESTAMP;
SQL_UNDO
--------------------------------------------------------------------------------
update "U_LOGMINER"."DBA_OBJECTS" set "STATUS" = 'VALID' where "STATUS" = 'INVAL
ID' and ROWID = 'AAAD8EAAIAAAAJAAAf';
update "U_LOGMINER"."DBA_OBJECTS" set "STATUS" = 'VALID' where "STATUS" = 'INVAL
ID' and ROWID = 'AAAD8EAAIAAAAKHAAv';
update "U_LOGMINER"."DBA_OBJECTS" set "STATUS" = 'VALID' where "STATUS" = 'INVAL
ID' and ROWID = 'AAAD8EAAIAAAAPoAA0';
………………
SQL拿出来了,就可以定位问题,但是能不能立刻回滚到生产环境,还需要和业务部门进行沟通。
建议在创建数据库时,就打开强制日志、归档模式,配置 utl_file_dir 参数,避免数据库重启对线上的影像
当然也可以直接下其他环境下的数据库做日志分析工作,有两个点需要注意:数据字典和日志文件,其他和在本机处理没什么两样。