Hey David, Nice tool, looks very interesting. Does it work on archived redolg files? I'll try it in my toy DBs this week... :-) I'd love to do it in productive ones, as it works on redo, I'm guessing it has no direct impact on the DB... is the source code available? Thanks. Alan.- On Mon, Jun 28, 2010 at 9:50 PM, David Litchfield < david@xxxxxxxxxxxxxxxxxxxx> wrote: > Hey all, > As part of a larger project, I've written a small tool called ddldump that > parses Oracle redolog files and dumps any DDL statements in an XML format. > ddldump has been developed with forensic investigations in mind but can of > course be simply used by DBAs to peruse the DDL in their logs. You can > download it from http://www.v3rity.com/ddldump.php > Cheers, > David Litchfield > v3rity Ltd > http://www.v3rity.com/ > > > C:\app\david\oradata\orcl11g>ddldump REDO01.log ddl > > <?xml version="1.0"?> > <LOG> > <FILENAME>REDO01.log</FILENAME> > <database_sid>ORCL11G</database_sid> > <version>11.1</version> > <ltimestamp>01/02/2010 15:26:02</ltimestamp> > <blocksize>512</blocksize> > <nab>234</nab> > <lowscn>3977649</lowscn> > <nextscn>3977776</nextscn> > <ENTRIES> > <ENTRY> > <TIMESTAMP>04/03/2010 01:16:34</TIMESTAMP> > <RDRCOFST>0x0001CB2C</RDRCOFST> > <CHVCOFST>0x0001CB5C</CHVCOFST> > <SESSION_USER>SYS</SESSION_USER> > <CURRENT_USER>SYS</CURRENT_USER> > <SQL_STATETMENT>create user hax0r identified by VALUES '9A3502887F7210C4' > </SQL_STATETMENT> > <SCHEMA>hax0r</SCHEMA> > <OBJECT></OBJECT> > </ENTRY> > </ENTRIES> > </LOG> > C:\> > > RDRCOFST is the hexadecimal offset into the redolog file where the redo > entry containing the DDL statement can be found > CHVCOFST is the hexadecimal offset into the redolog file where the change > vector containing the DDL statement can be found > TIMESTAMP is the time and date when the redo entry was written to the log > file. > SESSION_USER is the user that is logged on and initiated the DDL statement > CURRENT_USER is the user under whose authority the DDL actually executes. > If session_user and current_user are different it could be indicitive of a > SQL injection attack. > SQL_STATEMENT is the DDL that was executed. > SCHEMA, if present, is the schema upon which the DDL acts. > OBJECT, if present, is the object upon which the DDL acts. > -- > //www.freelists.org/webpage/oracle-l > > >