Re: New tool: ddldump

  • From: Guillermo Alan Bort <cicciuxdba@xxxxxxxxx>
  • To: david@xxxxxxxxxxxxxxxxxxxx
  • Date: Mon, 28 Jun 2010 22:37:11 -0300

Hey David,

   Nice tool, looks very interesting. Does it work on archived redolg files?
I'll try it in my toy DBs this week... :-) I'd love to do it in productive
ones, as it works on redo, I'm guessing it has no direct impact on the DB...
is the source code available?

Thanks.
Alan.-


On Mon, Jun 28, 2010 at 9:50 PM, David Litchfield <
david@xxxxxxxxxxxxxxxxxxxx> wrote:

> Hey all,
> As part of a larger project, I've written a small tool called ddldump that
> parses Oracle redolog files and dumps any DDL statements in an XML format.
> ddldump has been developed with forensic investigations in mind but can of
> course be simply used by DBAs to peruse the DDL in their logs. You can
> download it from http://www.v3rity.com/ddldump.php
> Cheers,
> David Litchfield
> v3rity Ltd
> http://www.v3rity.com/
>
>
> C:\app\david\oradata\orcl11g>ddldump REDO01.log ddl
>
> <?xml version="1.0"?>
> <LOG>
> <FILENAME>REDO01.log</FILENAME>
> <database_sid>ORCL11G</database_sid>
> <version>11.1</version>
> <ltimestamp>01/02/2010 15:26:02</ltimestamp>
> <blocksize>512</blocksize>
> <nab>234</nab>
> <lowscn>3977649</lowscn>
> <nextscn>3977776</nextscn>
> <ENTRIES>
> <ENTRY>
> <TIMESTAMP>04/03/2010 01:16:34</TIMESTAMP>
> <RDRCOFST>0x0001CB2C</RDRCOFST>
> <CHVCOFST>0x0001CB5C</CHVCOFST>
> <SESSION_USER>SYS</SESSION_USER>
> <CURRENT_USER>SYS</CURRENT_USER>
> <SQL_STATETMENT>create user hax0r identified by VALUES '9A3502887F7210C4'
> </SQL_STATETMENT>
> <SCHEMA>hax0r</SCHEMA>
> <OBJECT></OBJECT>
> </ENTRY>
> </ENTRIES>
> </LOG>
> C:\>
>
> RDRCOFST is the hexadecimal offset into the redolog file where the redo
> entry containing the DDL statement can be found
> CHVCOFST is the hexadecimal offset into the redolog file where the change
> vector containing the DDL statement can be found
> TIMESTAMP is the time and date when the redo entry was written to the log
> file.
> SESSION_USER is the user that is logged on and initiated the DDL statement
> CURRENT_USER is the user under whose authority the DDL actually executes.
> If session_user and current_user are different it could be indicitive of a
> SQL injection attack.
> SQL_STATEMENT is the DDL that was executed.
> SCHEMA, if present, is the schema upon which the DDL acts.
> OBJECT, if present, is the object upon which the DDL acts.
> --
> //www.freelists.org/webpage/oracle-l
>
>
>

Other related posts: