who shut the DB down?

[clinton]

We have 5 dba's and all of them have the power to shut down the DB. I think accidentally, one of them shut down the DB during peak times but no one one wants to admit to it.

Auditing has not being enabled yet. Is there any way that I can find out exactly who shut the DB down?

[m_d_marian]

you check the hour of the shutting down in alert.log, and you torture them each until finding what have done each of them at this hour.
Or, put them on the lie detector.
Check for all alibi.
Hire a detective.
Install a candy camera.

[sreddy]

What version was it ? If its 8i, minimum actions of startup and shutdown will be logged in default audit location.

Again, It depends you use Oracle/System super user or userid with DBA privs...

[adrianomp]

Check your audit trails and/or alert logs. Events like startup, shutdown and connect with admin privileges are automatically audited by Oracle, having you enabled it or not.


Adriano.

[clinton]

Thanks "guys", I checked the alert log and I found this message:
Instance terminated by USER, pid = 28101

But when I did:

select username, user_id, external_name from dba_users;

I did not get anything closer to 28101.
Can any body give me some direction on how to proceed?

Thanks,
clinton

[vinit]

Hi,
the PID is created by the OS and once the process dies, any other user can get the same process id later on. Even auditing won't help you to know who gave the shutdown unless each DBA logs in as a different User. Trace file will help in determining the time /cause of the shutdown.


Cheers

[kmesser]

You could check the status of object each DBA was working with. Shutdown doesn't happen by accident. Somebody thought they could cover their tracks . . .

Look for missing/changed data or objects.

Good luck

[sambavan]

I think that by running the logminer, you would be able to trace the sessions to the last and from that pont you can kind of get who was that black sheep. :D

Sam

[Halo]

Are you working in UNIX environment? if yes then give me some details like which machine and which version of operating system..........

[QUOTE][i]Originally posted by clinton [/i]
[B]We have 5 dba's and all of them have the power to shut down the DB. I think accidentally, one of them shut down the DB during peak times but no one one wants to admit to it.

Auditing has not being enabled yet. Is there any way that I can find out exactly who shut the DB down? [/B][/QUOTE]

[sambavan]

Here is some piece of information to track the culprit.

Check for a particular file that was generated at $ORACLE_HOME/rdbms/audit when the database was shutdown (i.e. check the date/time stamp).

In the file, you may see something like this...

...
Tue Mar 6 11:50:30 2001
ACTION : 'connect internal' OSPRIV : DBA
CLIENT USER: oracle
CLIENT TERMINAL: pts/33

Tue Mar 6 11:51:50 2001
ACTION : 'shutdown'
...

If every user has a unique unix userid, then from there you can identify by the 'CLIENT USER' as shown above. But if you have a common userid to logon to your server, just like 'oracle' in our case, then refer to what's in the 'CLIENT TERMINAL', w/c is 'pts/33' in our case.

Using the 'client terminal' info, use the 'last' unix command to display from what host the user TELNETed from, as well as, the server logon time, as follows.


>last | grep pts/33
rsupport pts/33 dhcp-233113.ca.o Wed Mar 7 10:18 still logged
in
rsupport pts/33 dhcp-233131.ca.o Tue Mar 6 12:29 - 14:26
(01:57)
rsupport pts/33 dhcp-233131.ca.o Tue Mar 6 11:45 - 12:13
(00:28)

Then 'ping' the hostname from your Microsoft Windows command line to determine the IP address of the origin host machine. Once you have the IP address, issue the command, 'nbtstat -A <ip_address>' to determine the username and hostname the IP address is assigned to.


Hope this would help you to nail the person :D

Sam