Results 1 to 3 of 3
  1. #1
    Join Date
    Oct 2012
    Posts
    2

    Exclamation Unanswered: Need help with audit trail

    I work on an OLTP database that has audit trail enable for most critical tables. Recently, all records from a table that was considered non-critical at implementation was deleted. How can I find out who did this and when it was done.

  2. #2
    Join Date
    Aug 2003
    Location
    Where the Surf Meets the Turf @Del Mar, CA
    Posts
    7,776
    Provided Answers: 1
    Dbms_logmnr
    You can lead some folks to knowledge, but you can not make them think.
    The average person thinks he's above average!
    For most folks, they don't know, what they don't know.
    Good judgement comes from experience. Experience comes from bad judgement.

  3. #3
    Join Date
    Jul 2006
    Posts
    49
    Deleting from the audit trail should be restricted to user SYS, but I think it could also be done by any user granted the DELETE ANY TABLE privilege. This should help you narrow down the list of suspects.

    If you are auditing sys operations, then you can look in the host audit files. The location of these files might be different for each version of Oracle, so check the on-line documentation. For example on Linux and Solaris the files might be stored in directory /u01/app/oracle/$ORACLE_SID/adump. Go to that location and run "grep -i delete *.aud".

    On Windows these records are written to Event Viewer.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •