Auditing Database Changes with DDL
to audit all schema changes and can report the exact change, when it
was made and by which user. There are several ways to audit within
Oracle, and it is important to take DDL auditing needs into
designing the Oracle system to include auditing.
For 11g and beyond, see the
For Oracle, the following auditing tools are provided:
- SQL audit command (for DML)
- Auditing with object triggers (DML auditing)
- Auditing with system-level triggers (DML and DDL)
- Auditing with LogMiner (DML and DDL)
- Fine-grained auditing (select auditing)
Oracle System Event Trigger Auditing with DDL Triggers
System Event DDL trigger, the Oracle DBA can automatically track
all changes to the database including changes to tables, indexes,
and constraints. The data from this trigger is especially useful for
change control and auditing changes to the production environment.
This is especially important for Oracle databases that are certified
by government agencies.
When Oracle first provided the functionality for these DDL
triggers, it was not clear how they could be used in order to track
system-wide usage. Initially, the implementation of system level
triggers for end-user tracking was so new, curious Oracle shops
tried it and found it a bit lacking in robust functionality.
Auditing with User Log on/off Triggers
The user log on/log off triggers was a great example of the
limits on functionality. While the user log on/off trigger
will accurately capture the time of the user log on and user log
off, it does not capture any additional information regarding the
specific tasks that were performed during the user's session. In the
event that users are not issued their own unique Oracle User ID,
this DLL trigger may not be particularly useful as Oracle cannot
then timestamp each individual users.
From Oracle guru and Rampant TechPress author, Laurent Schneider, we
get the answer to the following questions:
Is there any
alternative DDL scripting for DDL auditing?
What is the
for the current time in Unix?
enable_ddl_logging as a DDL Log Auditing Alternative
Laurent Schneider adds this regarding a new and cool alternative
offered in Oracle 11g. This option involves the use of
Setting enable_ddl_logging will allow the tracking of all ddl's
in the alert log using the following:
ALTER SYSTEM SET enable_ddl_logging=TRUE
Later, you issue create table:
and you see in the alertLSC01.log:
Tue Apr 05 14:43:32 2015
Wait, that's not really verbose !?
Remember the alert log is just there for backward compatibility,
it is time you start looking in the xml file:
<msg time='2011-04-05T14:43:42.210+02:00' org_id='oracle' comp_id='rdbms'
msg_id='opiexe:3937:4222333111' client_id='' type='NOTIFICATION'group='schema_ddl'
host_addr='192.168.0.141' module='TOAD Beta 188.8.131.52'
<txt>create table t(x number)
There is not really much more there but the module, which indeed
reveals someone is using TOAD to access my database !
Unfortunately for many shops, enable_ddl_logging is an
additional cost feature available only to Enterprise Edition users.
Oracle Training from Don Burleson
The best on site
training classes" are just a phone call away! You can get personalized Oracle training by Donald Burleson, right at your shop!
Burleson is the American Team
documentation was created as a support and Oracle training reference for use by our
DBA performance tuning consulting professionals.
Feel free to ask questions on our
considering using the services of an Oracle support expert should
independently investigate their credentials and experience, and not rely on
advertisements and self-proclaimed expertise. All legitimate Oracle experts
Oracle technology is changing and we
strive to update our BC Oracle support information. If you find an error
or have a suggestion for improving our content, we would appreciate your
and include the URL for the page.
Copyright © 1996 - 2017
All rights reserved by
is the registered trademark of Oracle Corporation.
Remote Emergency Support provided by