New tool: ddldump
- From: David Litchfield <david@xxxxxxxxxxxxxxxxxxxx>
- To: oracle-l@xxxxxxxxxxxxx
- Date: Tue, 29 Jun 2010 01:50:02 +0100
Hey all,
As part of a larger project, I've written a small tool called ddldump
that parses Oracle redolog files and dumps any DDL statements in an XML
format. ddldump has been developed with forensic investigations in mind
but can of course be simply used by DBAs to peruse the DDL in their
logs. You can download it from http://www.v3rity.com/ddldump.php
Cheers,
David Litchfield
v3rity Ltd
http://www.v3rity.com/
C:\app\david\oradata\orcl11g>ddldump REDO01.log ddl
<?xml version="1.0"?>
<LOG>
<FILENAME>REDO01.log</FILENAME>
<database_sid>ORCL11G</database_sid>
<version>11.1</version>
<ltimestamp>01/02/2010 15:26:02</ltimestamp>
<blocksize>512</blocksize>
<nab>234</nab>
<lowscn>3977649</lowscn>
<nextscn>3977776</nextscn>
<ENTRIES>
<ENTRY>
<TIMESTAMP>04/03/2010 01:16:34</TIMESTAMP>
<RDRCOFST>0x0001CB2C</RDRCOFST>
<CHVCOFST>0x0001CB5C</CHVCOFST>
<SESSION_USER>SYS</SESSION_USER>
<CURRENT_USER>SYS</CURRENT_USER>
<SQL_STATETMENT>create user hax0r identified by VALUES
'9A3502887F7210C4' </SQL_STATETMENT>
<SCHEMA>hax0r</SCHEMA>
<OBJECT></OBJECT>
</ENTRY>
</ENTRIES>
</LOG>
C:\>
RDRCOFST is the hexadecimal offset into the redolog file where the redo
entry containing the DDL statement can be found
CHVCOFST is the hexadecimal offset into the redolog file where the
change vector containing the DDL statement can be found
TIMESTAMP is the time and date when the redo entry was written to the
log file.
SESSION_USER is the user that is logged on and initiated the DDL statement
CURRENT_USER is the user under whose authority the DDL actually
executes. If session_user and current_user are different it could be
indicitive of a SQL injection attack.
SQL_STATEMENT is the DDL that was executed.
SCHEMA, if present, is the schema upon which the DDL acts.
OBJECT, if present, is the object upon which the DDL acts.
--
//www.freelists.org/webpage/oracle-l
Other related posts:
