I have used these principles on all types of systems in production today, on Unix (AIX, HP-UX, Sun Solaris, Linux) and Windows (NT, 2000) servers, on Oracle 8.x, 8i, 9i. The techniques I'm going to cover require some knowledge of Oracle and some experimentation. However, samples are provided that should help you to get Most DBAs would not want to enable the Oracle auditing, as there is a visible impact on space consumption and especially performance (some authors report a 10 — 20 percent performance loss for significant auditing). However, transaction information is recorded in the redo logs (on line and archives) and, starting with version 8.1.5, Oracle supports log mining. LogMiner can be run on the redo log producing (source) database or on an analyzing (miner) database. Some restrictions of LogMiner: LogMiner 8i does not support operations on: LogMiner 9.2.x can be used with LONG and LOB, but cannot be used with: Enhancements to LogMiner for Oracle9i generated log files include: Log Miner consists of the Log Miner ( dbms_logmnr) package with three procedures and the Dictionary (dbms_logmnr_d ) package. These are normally built by catproc, which executes the following scripts: and since 8.1.6: A few views are also created: V$LOGMNR_CONTENTS— the contents of the redo log files being analyzed – used by the DBA for auditing V$LOGMNR_DICTIONARY — the dictionary file in use V$LOGMNR_LOG — which redo log files are being analyzed V$LOGMNR_PARAMETERS — current parameter settings for LogMiner Also, depending on the specific version, a few more objects related to the LogMiner system are created, like the view v$logmnr_interesting_cols is created by $ORACLE_HOME/rdbms/admin/dbmslmd.sql and is for internal use by LogMiner. For Oracle 8.0.x, this system is not created, so the DBA has to run manually one the dictionary scripts ( dbmslogmnrd.sql or dbmslmd.sql ) or all scripts. Simply ignore the errors referring to creating other objects than the dictionary package. Even later, some errors may be generated while running the package for objects like SUBPARTCOL$, TABSUBPART$, INDSUBPART$, TABCOMPART$ and INDCOMPART$. Ignore these errors as well. The dictionary file is produced in order to convert object ID numbers to object names. It is not required, but is recommended. Without it the equivalent SQL statements will use Oracle internal object IDs for the object name and present column values as hex data. For example, instead of the SQL statement: LogMiner will display: The contents of a dictionary file looks like: The dictionary file can be converted into a SQL script by replacing globally the underscores with spaces. CREATE_TABLE —> CREATE TABLE; CREATE_INDEX —> CREATE INDEX; INSERT_INTO —> INSERT INTO; and so on (there are more details in the header comments in the dictionary file itself). Also, see Oracle Note 77638.1 on how to build a package and a LogMiner “Place Holder Columns” file. We have used four scripts to demonstrate the concepts in this paper. They are in the file MHSYS-logminer.sql and the logs in MHSYS-logminer.log. First, on the source database, we create some transactions like: Then we update one row: Then we build the dictionary file: Now, we copy the dictionary file, the online and archived redo log files from the period of time that interests us to the analyzing database machine. The analyzing database does not have to be only mounted, it can be open, in which case I normally just copy the V$LOGMNR_CONTENTS into a regular table. Then, an the analyzing database, we load the redo logs: (Here, if you have the wrong redo logs, you can get some errors, like “archived log does not contain any redo”. Most of them can be ignored.) And then we start the logminer: (Here, if you have the wrong redo logs, you can get some errors, like “archived log out of range.”) Now, since the database is open, I can do my table copy. This is useful for thorough analyzing, as V$LOGMNR_CONTENTS is very slow and can contain Millions of rows on a busy production system. Then we can finish: And now, we can use our own table. We can create a few indexes, if we really need to work a lot with it. How do you know in versions earlier than 9i that multiple statements belong to the same transaction? You can check USERNAME (or session_info) and XIDUSN (rollback segment number) and you can see first and last for transaction. XIDSQN identifies the SCN. XIDSLOT can also be used to order the transaction components: operation START, sql_redo set transaction read write, and operation COMMIT, sql_redo commit. How do you know in versions earlier than 9i that a table was dropped? DROP TABLE will generate DELETE operations on COL$, OBJ$ and TAB$. How do you know in versions earlier than 9i to repopulate a table that had chained rows? DML on chained rows are included in "v$logmnr_contents.sql_redo" and "v$logmnr_contents.sql_undo". The SQL redo/undo columns are NULL for INSERT and UPDATE and contain 'Unsupported' for DELETE. Other columns (including data_blk#, data_obj#, row_id) can be used to identify chained rows, but it we cannot determine the SQL redo/undo statement. So, note that v$logmnr_contents.sql_redo CANNOT be used to completely repopulate a table that ever contained chained rows. There is not a lot of literature on Oracle LogMiner, and some of it can be confusing, but things are not that complicated. You can avoid a lot of aggravation by just being well organized. For a list of Frequently Asked Questions and tips on running my packages, visit www.hordila.com/mhwork.htm. -- Mike Hordila is a DBA OCP v.7, 8, 8i, 9i, and has his own Oracle consulting company, DBActions Inc., www.dbactions.com, in Toronto, Ontario. He specializes in tuning, automation, security, and very large databases. Mike has articles in Oracle Magazine Online, Oracle Internals and DBAzine.com. Updated versions of his work are available on www.hordila.com. He is also a technical editor with Hungry Minds (formerly IDG Books).
Have you ever had to answer questions like, “This data does not look right. Could we find out who changed it and when? How did they change it? What was there before the change? How do we fix it back?” If so, this article will give you a quick start in the right direction. It really is possible to find out the answers to these questions, and not that difficult.Oracle Log Miner
Oracle9i Log Miner New Features
Preparing The Log Miner
The Dictionary File
INSERT INTO emp(name, salary) VALUES ('John Doe', 50000);
insert into Object#2581(col#1, col#2) values (hextoraw('4a6f686e20446f65'), hextoraw
12:30:24',,,1,'12/24/2002 16:05:38','12/24/2002
Running The Log Miner
INSERT INTO table1 ( rec_id, emp_last_name, emp_first_name, salary )
VALUES ( 03, 'LASTTHREE', 'FIRSTTHREE', 10000.10 );
UPDATE table1 SET salary = 20000.10 WHERE rec_id = 03;
execute dbms_logmnr_d.build(dictionary_filename => 'dictionary.920.ora', -
dictionary_location => 'C:\TEMP');
execute dbms_logmnr.add_logfile(logfilename => 'C:\TEMP\redo01.log', -
options => dbms_logmnr.new);
execute dbms_logmnr.start_logmnr(dictfilename => 'C:\TEMP\dictionary.920.ora', -
starttime => to_date('18-MAR-2003 00:00:00', 'DD-MON-YYYY HH24:MI:SS'), -
endtime => to_date('18-MAR-2003 23:59:59', 'DD-MON-YYYY HH24:MI:SS'));
create table SYSTEM.LOGMINER_CONTENTS_920 tablespace TOOLS
as select * from v$logmnr_contents;execute dbms_logmnr.add_logfile(logfilename => 'C:\TEMP\redo01.log', -
options => dbms_logmnr.removefile);
execute dbms_logmnr.end_logmnr;
select count(*) from SYSTEM.LOGMINER_CONTENTS_920;
select to_char(timestamp, 'DD-MON-YYYY HH24:MI:SS') timestamp,
scn, log_id, username, seg_owner, seg_name, seg_type, operation,
where username = 'TESTX'
and seg_owner = 'TESTX'
and seg_name = 'TABLE1';
-------------------- ---------- ---------- -----------------
18-MAR-2003 20:47:10 181209 10 TESTX
rec_id VARCHAR2(12) NOT NULL,
emp_last_name VARCHAR2(30),
emp_first_name VARCHAR2(30),
salary NUMBER(8,2) )
18-MAR-2003 20:47:16 181293 10 TESTX
insert into "TESTX"."TABLE1"("REC_ID","EMP_LAST_NAME","EMP_FIRST_NAME", ……..
18-MAR-2003 20:47:30 181409 11 TESTX
update "TESTX"."TABLE1" set "SALARY" = '20000,1' where "SALARY" = '1000 ……..
Some Frequent Questions Before Oracle9i
select seg_name, operation, scn, count(*) from v$logmnr_contents
where operation != 'INTERNAL'
group by seg_name, operation, scn
order by scn;
--------------- -------------------------------- ---------- ----------
COL$ DELETE 5012065 3
OBJ$ DELETE 5012065 1
TAB$ DELETE 5012065 1
START 5012065 1
SEG$ UPDATE 5012065 1
Log Miner Procedures Summary