who shut the DB down?
DBAsupport.com Forums - Powered by vBulletin
Page 1 of 2 12 LastLast
Results 1 to 10 of 13

Thread: who shut the DB down?

  1. #1
    Join Date
    Jan 2001
    Posts
    157

    Question

    We have 5 dba's and all of them have the power to shut down the DB. I think accidentally, one of them shut down the DB during peak times but no one one wants to admit to it.

    Auditing has not being enabled yet. Is there any way that I can find out exactly who shut the DB down?

  2. #2
    Join Date
    Feb 2001
    Posts
    66
    you check the hour of the shutting down in alert.log, and you torture them each until finding what have done each of them at this hour.
    Or, put them on the lie detector.
    Check for all alibi.
    Hire a detective.
    Install a candy camera.

  3. #3
    Join Date
    Feb 2000
    Location
    Washington DC
    Posts
    1,843
    What version was it ? If its 8i, minimum actions of startup and shutdown will be logged in default audit location.

    Again, It depends you use Oracle/System super user or userid with DBA privs...
    Reddy,Sam

  4. #4
    Join Date
    Feb 2001
    Posts
    295
    Check your audit trails and/or alert logs. Events like startup, shutdown and connect with admin privileges are automatically audited by Oracle, having you enabled it or not.


    Adriano.

  5. #5
    Join Date
    Jan 2001
    Posts
    157
    Thanks "guys", I checked the alert log and I found this message:
    Instance terminated by USER, pid = 28101

    But when I did:

    select username, user_id, external_name from dba_users;

    I did not get anything closer to 28101.
    Can any body give me some direction on how to proceed?

    Thanks,
    clinton

  6. #6
    Join Date
    Oct 2000
    Posts
    467
    Hi,
    the PID is created by the OS and once the process dies, any other user can get the same process id later on. Even auditing won't help you to know who gave the shutdown unless each DBA logs in as a different User. Trace file will help in determining the time /cause of the shutdown.


    Cheers

    Vinit

  7. #7
    Join Date
    Aug 2000
    Posts
    462
    You could check the status of object each DBA was working with. Shutdown doesn't happen by accident. Somebody thought they could cover their tracks . . .

    Look for missing/changed data or objects.

    Good luck

  8. #8
    Join Date
    Oct 2000
    Location
    Saskatoon, SK, Canada
    Posts
    3,925
    I think that by running the logminer, you would be able to trace the sessions to the last and from that pont you can kind of get who was that black sheep. :D

    Sam
    Thanx
    Sam



    Life is a journey, not a destination!


  9. #9
    Join Date
    Apr 2000
    Location
    Edison, NJ
    Posts
    759
    Are you working in UNIX environment? if yes then give me some details like which machine and which version of operating system..........

    [QUOTE][i]Originally posted by clinton [/i]
    [B]We have 5 dba's and all of them have the power to shut down the DB. I think accidentally, one of them shut down the DB during peak times but no one one wants to admit to it.

    Auditing has not being enabled yet. Is there any way that I can find out exactly who shut the DB down? [/B][/QUOTE]

  10. #10
    Join Date
    Oct 2000
    Location
    Saskatoon, SK, Canada
    Posts
    3,925
    Here is some piece of information to track the culprit.

    Check for a particular file that was generated at $ORACLE_HOME/rdbms/audit when the database was shutdown (i.e. check the date/time stamp).

    In the file, you may see something like this...

    ...
    Tue Mar 6 11:50:30 2001
    ACTION : 'connect internal' OSPRIV : DBA
    CLIENT USER: oracle
    CLIENT TERMINAL: pts/33

    Tue Mar 6 11:51:50 2001
    ACTION : 'shutdown'
    ...

    If every user has a unique unix userid, then from there you can identify by the 'CLIENT USER' as shown above. But if you have a common userid to logon to your server, just like 'oracle' in our case, then refer to what's in the 'CLIENT TERMINAL', w/c is 'pts/33' in our case.

    Using the 'client terminal' info, use the 'last' unix command to display from what host the user TELNETed from, as well as, the server logon time, as follows.


    >last | grep pts/33
    rsupport pts/33 dhcp-233113.ca.o Wed Mar 7 10:18 still logged
    in
    rsupport pts/33 dhcp-233131.ca.o Tue Mar 6 12:29 - 14:26
    (01:57)
    rsupport pts/33 dhcp-233131.ca.o Tue Mar 6 11:45 - 12:13
    (00:28)

    Then 'ping' the hostname from your Microsoft Windows command line to determine the IP address of the origin host machine. Once you have the IP address, issue the command, 'nbtstat -A <ip_address>' to determine the username and hostname the IP address is assigned to.


    Hope this would help you to nail the person :D

    Sam

    Thanx
    Sam



    Life is a journey, not a destination!


Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  


Click Here to Expand Forum to Full Width