Thank you very much David. This tool is really interesting. Can't wait to try it out. Will this work on Linux ? On Tue, Jun 29, 2010 at 7:07 AM, Guillermo Alan Bort <cicciuxdba@xxxxxxxxx>wrote: > Hey David, > > Nice tool, looks very interesting. Does it work on archived redolg > files? I'll try it in my toy DBs this week... :-) I'd love to do it in > productive ones, as it works on redo, I'm guessing it has no direct impact > on the DB... is the source code available? > > Thanks. > Alan.- > > > > On Mon, Jun 28, 2010 at 9:50 PM, David Litchfield < > david@xxxxxxxxxxxxxxxxxxxx> wrote: > >> Hey all, >> As part of a larger project, I've written a small tool called ddldump that >> parses Oracle redolog files and dumps any DDL statements in an XML format. >> ddldump has been developed with forensic investigations in mind but can of >> course be simply used by DBAs to peruse the DDL in their logs. You can >> download it from http://www.v3rity.com/ddldump.php >> Cheers, >> David Litchfield >> v3rity Ltd >> http://www.v3rity.com/ >> >> >> C:\app\david\oradata\orcl11g>ddldump REDO01.log ddl >> >> <?xml version="1.0"?> >> <LOG> >> <FILENAME>REDO01.log</FILENAME> >> <database_sid>ORCL11G</database_sid> >> <version>11.1</version> >> <ltimestamp>01/02/2010 15:26:02</ltimestamp> >> <blocksize>512</blocksize> >> <nab>234</nab> >> <lowscn>3977649</lowscn> >> <nextscn>3977776</nextscn> >> <ENTRIES> >> <ENTRY> >> <TIMESTAMP>04/03/2010 01:16:34</TIMESTAMP> >> <RDRCOFST>0x0001CB2C</RDRCOFST> >> <CHVCOFST>0x0001CB5C</CHVCOFST> >> <SESSION_USER>SYS</SESSION_USER> >> <CURRENT_USER>SYS</CURRENT_USER> >> <SQL_STATETMENT>create user hax0r identified by VALUES '9A3502887F7210C4' >> </SQL_STATETMENT> >> <SCHEMA>hax0r</SCHEMA> >> <OBJECT></OBJECT> >> </ENTRY> >> </ENTRIES> >> </LOG> >> C:\> >> >> RDRCOFST is the hexadecimal offset into the redolog file where the redo >> entry containing the DDL statement can be found >> CHVCOFST is the hexadecimal offset into the redolog file where the change >> vector containing the DDL statement can be found >> TIMESTAMP is the time and date when the redo entry was written to the log >> file. >> SESSION_USER is the user that is logged on and initiated the DDL statement >> CURRENT_USER is the user under whose authority the DDL actually executes. >> If session_user and current_user are different it could be indicitive of a >> SQL injection attack. >> SQL_STATEMENT is the DDL that was executed. >> SCHEMA, if present, is the schema upon which the DDL acts. >> OBJECT, if present, is the object upon which the DDL acts. >> -- >> //www.freelists.org/webpage/oracle-l >> >> >> >