Using LogMiner

Someone has deleted Mr. Ford from Scott's EMP table, and everyone disavows any knowledge of the event. However, you are very suspicious of one of your users, who has a tendency of bending the truth at times. So, you decide to use LogMiner to track down the guilty party.

First, you edit your parameter file entering utl_fil_dir=C:\ORACLASS\LOGS. LogMiner can now create an operating system file in this path.

SQL> SHOW USER

USER is "SYS"

SQL> SHOW PARAMETER utl

NAME         TYPE   VALUE

------------ ------ ----------------

utl_file_dir string C:\ORACLASS\LOGS

Next, you execute the BUILD procedure in the DBMS_LOGMNR_D package to create an operating sys- tem file MINER2.DAT. This file will contain information taken from the specified redo log files.

SQL> CONNECT SYS/CHANGE_ON_INSTALL@DBA

Connected.

SQL> BEGIN

  2  dbms_logmnr_d.build ( 'miner2.dat', 'C:\ORACLASS\LOGS' );

  3  END;

  4  /

PL/SQL procedure successfully completed.

Next, switch log files and identify the current log file.

SQL> ALTER SYSTEM SWITCH LOGFILE;

System altered.

SQL> column member NEW_VALUE redo

SQL> SELECT member

  2  FROM   v$logfile — IF REDO LOGS ARE MIRRORED,

                        ONLY WANT ONE(ROWNUM<2)

  3  WHERE  group# = ( SELECT group# FROM v$log

                       WHERE status = 'CURRENT' )

  4         AND ROWNUM < 2;

MEMBER

-----------------------------------

C:\ORACLASS\DATA\DISK3\REDO0201.LOG

Next, copy the above redo log member to C:\ORA- CLASS\LOGS\redo.log.

SQL> host xcopy &redo C:\ORACLASS\LOGS\redo.log

Now, indicate to LogMiner that you want information contained in the redo.log file by executing ADD_LOGFILE.

SQL> BEGIN

  2 dbms_logmnr.add_logfile('C:\ ORACLASS\ LOGS\redo.log',

  3                          dbms_logmnr.NEW );

  4 END;

  5 /

PL/SQL procedure successfully completed.

Now, tell LogMiner to start. LogMiner takes the data in the operating system file miner2.dat and loads it into the dynamic performance views used by LogMiner. One of these views is v$logmnr_contents.

SQL> BEGIN

  2  dbms_logmnr.start_logmnr ( dictFileName =>

      'c:\ORACLASS\LOGS\miner2.dat' );

  4  END;

  5  /

PL/SQL procedure successfully completed.

Now you are ready to write a query (Exhibit 8) using v$logmnr_contents to identify the villain in who deleted ford saga. The two columns of interest are SQL_REDO and SQL_UNDO. The SQL_REDO column shows the SQL statement that changes data in a table, and the SQL_UNDO column shows the SQL statement(s) to reverse or undo the SQL statement that changed the table data. It is more than painfully obvious that user LIAR_LIAR deleted Ford and also committed his dastardly deed. Notice the undo of the DELETE command is an INSERT command.

SQL> columnsql_redo format a30 word_wrapped

SQL> columnsql_undo format a30 word_wrapped

SQL> columnusername format a12

SQL> SELECT scn,

            username,

            sql_redo,

            sql_undo

     FROM   V$LOGMNR_CONTENTS;

SCN    USERNAME  SQL_REDO                       SQL_UNDO

------ --------- ------------------------------ ------------------------

232009 LIAR_LIAR set transaction read write;

232009 LIAR_LIAR delete from SCOTT.EMP where    insert into

                 EMPNO = 7902 and ENAME =SCOTT .EMP(EMPNO,ENAME,JOB,MGR,

                 'ford' and JOB = 'ANALYST' and HIREDATE,SAL,COMM,DEPTNO)

                 MGR = 7566 and HIREDATE =      values

                 TO_DATE('03-DEC-2081           (7902,'ford','ANALYST',

                 00:00:00', 'DD-MON-YYYY        7566,TO_DATE('03-DEC-2081

                 HH24:MI:SS') and SAL = 3000    00:00:00','DD-MON-YYYY

                 and COMM IS NULL and DEPTNO =  HH24:MI:SS'),3000,NULL,

                 20 and ROWID =                 20);

                 'AAAAsrAADAAAAF6AAM';

232010 LIAR_LIAR commit;

To view the INSERT required to place Mr. Ford back into Scott's EMP table, write a query viewing the SQL_UNDO column of v$logmnr_contents:

SQL> SELECT sql_undo

     FROM   V$LOGMNR_CONTENTS;

insert into

SCOTT.EMP(EMPNO,ENAME,JOB,MGR,

HIREDATE,SAL,COMM,DEPTNO)

values

(7902,'ford','ANALYST',7566,TO

_DATE('03-DEC-2081 00:00:00',

'DD-MON-YYYY

HH24:MI:SS'),3000,NULL,20);

You can cut and paste the INSERT statement and exe- cute it to place Ford back into Scott's EMP table.

SQL> insert into

            SCOTT.EMP(EMPNO,ENAME,JOB,MGR,

            HIREDATE,SAL,COMM,DEPTNO)

            values

            (7902,'ford','ANALYST',7566,

            TO_DATE('03-DEC-2081 00:00:00',' DD-MON-YYYY

              HH24:MI:SS'),3000,NULL,20);

1 row created.

SQL> COMMIT;

Commit complete.

Finally, end your LogMiner session.

SQL> BEGIN

SQL> dbms_logmnr.end_logmnr;

SQL> END;

SQL> /

PL/SQL procedure successfully completed.

BMC Corporation has had a product named LogMaster for many years. It is much easier to use than Oracle's LogMiner. You merely enter commands at the operating system prompt.

---

The above text is an excerpt from: Oracle SQL Tuning & CBO Internals ISBN 0-9745993-3-6 by Kimberly Floss