you check the hour of the shutting down in alert.log, and you torture them each until finding what have done each of them at this hour.
Or, put them on the lie detector.
Check for all alibi.
Hire a detective.
Install a candy camera.
the PID is created by the OS and once the process dies, any other user can get the same process id later on. Even auditing won't help you to know who gave the shutdown unless each DBA logs in as a different User. Trace file will help in determining the time /cause of the shutdown.
Are you working in UNIX environment? if yes then give me some details like which machine and which version of operating system..........
[QUOTE][i]Originally posted by clinton [/i]
[B]We have 5 dba's and all of them have the power to shut down the DB. I think accidentally, one of them shut down the DB during peak times but no one one wants to admit to it.
Auditing has not being enabled yet. Is there any way that I can find out exactly who shut the DB down? [/B][/QUOTE]
If every user has a unique unix userid, then from there you can identify by the 'CLIENT USER' as shown above. But if you have a common userid to logon to your server, just like 'oracle' in our case, then refer to what's in the 'CLIENT TERMINAL', w/c is 'pts/33' in our case.
Using the 'client terminal' info, use the 'last' unix command to display from what host the user TELNETed from, as well as, the server logon time, as follows.
>last | grep pts/33
rsupport pts/33 dhcp-233113.ca.o Wed Mar 7 10:18 still logged
rsupport pts/33 dhcp-233131.ca.o Tue Mar 6 12:29 - 14:26
rsupport pts/33 dhcp-233131.ca.o Tue Mar 6 11:45 - 12:13
Then 'ping' the hostname from your Microsoft Windows command line to determine the IP address of the origin host machine. Once you have the IP address, issue the command, 'nbtstat -A <ip_address>' to determine the username and hostname the IP address is assigned to.