Hi Sam and the rest ,
I think with sam's method, I'm on the right way to capture the culprit.
One last question.
When I went through the ORACLE_HOME, I found out that, the
default audit trail were a lot(i mean a lot) so I could not really narrow down the time stamp. Do you know of any easier way to narrow the time stamp?
This is what I did:
One way to do this is write a shell script that would list the directory and awk the files between certain time frame and then you could reduce the files that you need to search. Other way would be to write a script that would open all the files and search for the "SHUTDOWN" word and then list only those files that has this. One other eaier way is to use the "find " command and search the directory for shutdown and then start analysing only those files.
Searching the files for the word 'SHUTDOWN' can be done with a single command:
grep -i shutdown ora*.aud
(-i means ignore case)
or, just to get the filenames
grep -l -i shutdown ora*.aud
Also, the ls -l command will give the list of files, including the modification date, if you pipe the output of the ls to the grep command (look at the format of the date returned), you can quickly get a list of files for a certain date.