Oracle未开启审计情况下追踪表变更记录

运维组的老大打电话说，他们发现有几万笔业务被重新推送了一遍，而且是第三次了，问题还是挺严重的，想要追踪是谁做的误操作，他们有时间段和涉及的表，问有没有办法追踪到。

数据库版本为10.2.0.4。首先想到的是审计功能，但是无奈数据库没有开审计。再次想到的是日志挖掘(LogMiner)，但是不确定能不能找到对应操作的用户和主机。在QQ群里提出了这个问题，得到的答案是可以找到，同时也在官方文档中找到了v$logmnr_contents中对就的SESSION_INFO字段：

从上面给出的信息可以看出，可以跟踪到执行sql时对应的用户和主机信息。

下面做一个简单的测试，关于LogMiner的简单应用参考：http://hbxztc.blog.51cto.com/1587495/1871934

从上面的查询可以看出可以从日志中挖掘出用户和主机信息。

v$logmnr_contents:http://docs.oracle.com/cd/B19306_01/server.102/b14237/dynviews_1154.htm#REFRN30132

LogMiner:http://docs.oracle.com/cd/B19306_01/server.102/b14215/logminer.htm#sthref1875

如果遇到USERNAME和SESSION_INFO为NULL或UNKNOWN参考如下：

Column USERNAME And SESSION_INFO Are UNKNOWN Or NULL In V$LOGMNR_CONTENTS (文档 ID 110301.1)

CAUSE

1. If supplemental logging was not active at the time when the redo records were created, then LogMiner won't be able to obtain all the required information. The Oracle Database Utilities manual mentions:
   

   By default, Oracle Database does not provide any supplemental logging, which means that by default LogMiner is not usable. Therefore, you must enable at least minimal supplemental logging prior to generating log files which will be analyzed by LogMiner.

   So, we have to enable supplemental logging by using a SQL statement similar to the following:
   

   SQL> CONNECT / AS SYSDBA
   SQL> ALTER DATABASE ADD SUPPLEMENTAL LOG DATA;

   
   Then the information necessary to populate the USERNAME and SESSION_INFO columns will be stored in the redo stream.
   
   

2. The redo stream does not contain the USERNAME and SESSION_INFO data for every transaction. This information is only stored for the first transaction executed in the user's session. So in order to be able to see this information in V$LOGMNR_CONTENTS, all the redo generated during the entire session must be added to the mining session. Should this not be done, then the USERNAME and SESSION_INFO columns will remain empty.
   
   

3. LogMiner was first available in Oracle8i. If the COMPATIBLE instance parameter is set to a value lower than 8.1.0 you will not have access to its full functionality.
   
   

4. In Oracle9i and lower releases of Oracle, the TRANSACTION_AUDITING instance parameter is set to TRUE by default. This causes the generation of a redo record containing the user logon name, username, session ID, and some operating system and client information. For each successive transaction in the session, Oracle will store only the session ID. These session IDs are linked back to the first record to retrieve user and session information.
   
   When TRANSACTION_AUDITING is set to FALSE, this redo record is not written and the user information is not available to LogMiner.

SOLUTION

This can result from your database parameter settings and also from the method you are using to mine redo logs using LogMiner.

1. Ensure that database was in minimum supplemental logging at the time that the redo information was created:
   

   SQL> SELECT name, supplemental_log_data_min FROM v$database;
   
   NAME                           SUPPLEME
   ------------------------------ --------
   M10202WA                       YES

2. Ensure that all archive redo logs containing the necessary redo information have been added to the LogMiner session.
   
   

3. Ensure that the COMPATIBLE initialization parameter is set to 8.1.0 or higher.
   

   SQL> show parameter compatible
   
   NAME                                 TYPE        VALUE
   ------------------------------------ ----------- ----------
   compatible                           string      10.2.0.2.0

4. For Oracle8i and Oracle9i only: ensure that the TRANSACTION_AUDITING instance parameter is set to TRUE (default).
   

   SQL> show parameter transaction_auditing
   
   NAME                                 TYPE        VALUE
   ------------------------------------ ----------- ----------
   transaction_auditing                 boolean     TRUE

      本文转自hbxztc 51CTO博客，原文链接：http://blog.51cto.com/hbxztc/1918407，如需转载请自行联系原作者