Oracle日志挖掘

1.日志挖掘

1.1補充日志指令（日志中有了rowid）

   alter databaseadd supplemental logdata;

1.2基于DML的日志挖掘

   例子：SCOTT下UPDATE某記錄，我想挖掘出這個操作的時間以及SCN，如

   update emp set sal=9000;

   步驟：

1.2.1檢視目前redo日志

col member for a40

    select v1.group#,v1.sequence#,v1.first_change#,v1.status,v2.member

    from v$log v1,v$logfile v2

    where v1.group#=v2.group#

    order by 1;

    結果：

    GROUP#  SEQUENCE# FIRST_CHANGE# STATUS           MEMBER

-------------------- ------------- ---------------- ----------------------------------------

         1          7       1346456 CURRENT         /u01/oradata/mike/redo01.log

         1          7       1346456 CURRENT         /u01/oradata/mike/redo01b.log

         2          5       1346098 INACTIVE         /u01/oradata/mike/redo02b.log

         2          5       1346098 INACTIVE         /u01/oradata/mike/redo02.log

         3          6       1346283 INACTIVE         /u01/oradata/mike/redo03b.log

         3          6       1346283 INACTIVE         /u01/oradata/mike/redo03.log

6 rows selected.

1.2.2使用目前日志建立分析清單

    Exec sys.dbms_logmnr.add_logfile(logfilename=>'/u01/oradata/mike/redo01.log');

1.2.3使用資料字典進行日志分析

    如果沒有資料字典，使用dbms_logmnr.dict_from_online_catalog選項參數，意思是從指定的dbms_logmnr.add_logfile或重做日志中找到資料字典。

    exec sys.dbms_logmnr.start_logmnr(options=>sys.dbms_logmnr.dict_from_online_catalog);

1.2.4檢視分析結果

    select scn,to_char(timestamp,'yyyy-mm-dd hh24:mi:ss'),sql_redo,sql_undo

    from v$logmnr_contents

    where seg_name='EMP'and seg_owner='SCOTT';

    結果：

    ---------- -------------------

    SQL_REDO

    ----------------------------------------------------------------------------------------------------

    SQL_UNDO

    ----------------------------------------------------------------------------------------------------

       1352504 2013-06-20 11:26:38

    update "SCOTT"."EMP"set "SAL"= '9000'where "SAL"= '2800'and ROWID= 'AAASb2AAEAAAACXAAA';

    update "SCOTT"."EMP"set "SAL"= '2800'where "SAL"= '9000'and ROWID= 'AAASb2AAEAAAACXAAA';

       1352504 2013-06-20 11:26:38

    update "SCOTT"."EMP"set "SAL"= '9000'where "SAL"= '2800'and ROWID= 'AAASb2AAEAAAACXAAB';

update "SCOTT"."EMP"set "SAL"= '2800'where "SAL"= '9000'and ROWID= 'AAASb2AAEAAAACX………

1.2.5結束logmnr

exec dbms_logmnr.end_logmnr;

1.3基于DDL的日志挖掘

1.3.1資料字典在歸檔日志中

1.3.1.1将資料字典歸檔到日志

        execute dbms_logmnr_d.build(options=>dbms_logmnr_d.store_in_redo_logs);

1.3.1.2做DDL操作

        SCOTT使用者下删除表test;

        drop table test;

1.3.1.3檢視redo日志和archive日志

        select group#,sequence#,statusfrom v$log;

        結果：

            GROUP# SEQUENCE# STATUS

-------------------- ----------------

         1         13 INACTIVE

         2         14 CURRENT

         3         12 INACTIVE

        select name,dictionary_begin,dictionary_endfrom v$archived_log;

        結果：

        NAME                                                                            DIC DIC

        ----------------------------------------------------------------------------------- ---

        /u01/fast_recovery_area/MIKE/archivelog/2013_06_20/o1_mf_1_3_8w4proqh_.arc      NO NO

        /u01/fast_recovery_area/MIKE/archivelog/2013_06_20/o1_mf_1_4_8w4psx1j_.arc      NO NO

        /u01/fast_recovery_area/MIKE/archivelog/2013_06_20/o1_mf_1_5_8w4q3sol_.arc      NO NO

        /u01/fast_recovery_area/MIKE/archivelog/2013_06_20/o1_mf_1_6_8w4qc0yo_.arc      NO NO

        /u01/fast_recovery_area/MIKE/archivelog/2013_06_20/o1_mf_1_7_8w564nnh_.arc      NO NO

        /u01/fast_recovery_area/MIKE/archivelog/2013_06_20/o1_mf_1_8_8w56c7gz_.arc      NO NO

        /u01/fast_recovery_area/MIKE/archivelog/2013_06_20/o1_mf_1_9_8w56d13f_.arc      NO NO

        /u01/fast_recovery_area/MIKE/archivelog/2013_06_20/o1_mf_1_10_8w56mrcn_.arc     NO NO

        /u01/fast_recovery_area/MIKE/archivelog/2013_06_20/o1_mf_1_11_8w5bskbb_.arc     NO NO

        /u01/fast_recovery_area/MIKE/archivelog/2013_06_20/o1_mf_1_12_8w5bstfx_.arc     YES YES

        /u01/fast_recovery_area/MIKE/archivelog/2013_06_20/o1_mf_1_13_8w5byo0v_.arc     NO NO

        11 rows selected.

        發現有一個歸檔日志中dictionary_begin和dictionary_end是YES，是以資料字典的資訊在這個歸檔日志中，一會要加入分析隊列。

1.3.1.4使用日志建立分析清單

        首先把目前的redo檔案加入分析清單：

        execute dbms_logmnr.add_logfile(logfilename=>'/u01/oradata/mike/redo02.log',options=>dbms_logmnr.new);

        然後把包含資料字典資訊的歸檔日志也加進去：

        execute dbms_logmnr.add_logfile(logfilename=>'/u01/fast_recovery_area/MIKE/archivelog/2013_06_20/o1_mf_1_12_8w5bstfx_.arc',options=>dbms_logmnr.addfile);

1.3.1.5使用資料字典進行分析

        execute sys.dbms_logmnr.start_logmnr(options=>sys.dbms_logmnr.dict_from_online_catalog);

1.3.1.6檢視分析結果

        selectscn,to_char(timestamp,'yyyy-mm-dd hh24:mi:ss'),sql_redo from v$logmnr_contents

        where seg_name='TEST' andseg_owner='SCOTT';

        結果：

       SCN TO_CHAR(TIMESTAMP,'

-----------------------------

SQL_REDO

----------------------------------------------------------------------------------------------------

   1384524 2013-06-20 15:14:59

ALTER TABLE"SCOTT"."TEST" RENAME TO"BIN$35G0QjKlCuLgRAgAJ3D0FA==$0" ;

   1384527 2013-06-20 15:14:59

drop table test AS"BIN$35G0QjKlCuLgRAgAJ3D0FA==$0" ;

1.3.1.7結束logmnr

execdbms_logmnr.end_logmnr;

1.3.2資料字典在utl_file_dir中

1.3.2.1設定utl_file_dir

    show parameter utl_file_dir

    若為空，則設定一下值：

    alter systemset utl_file_dir='/u01/logmnr'scope=spfile;

    重新開機執行個體：

    startup force

    再次檢視show parameter utl_file_dir

1.3.2.2建立資料字典到指定目錄

    execute dbms_logmnr_d.build(dictionary_filename=>'newdict.ora',dictionary_location=> '/u01/logmnr');

1.3.2.3檢視目前redo日志和archive日志

    select group#,sequence#,first_change#,statusfrom v$log;

    結果：

     GROUP#  SEQUENCE# FIRST_CHANGE# STATUS

-------------------- ------------- ----------------

         1         16       1389548 CURRENT

         2         14       1384482 ACTIVE

         3         15       1389541 ACTIVE

    select name,dictionary_begin,dictionary_endfrom v$archived_log;

    結果：

    NAME                                                                            DIC DIC

    ----------------------------------------------------------------------------------- ---

    /u01/fast_recovery_area/MIKE/archivelog/2013_06_20/o1_mf_1_3_8w4proqh_.arc      NO NO

    /u01/fast_recovery_area/MIKE/archivelog/2013_06_20/o1_mf_1_4_8w4psx1j_.arc      NO NO

    /u01/fast_recovery_area/MIKE/archivelog/2013_06_20/o1_mf_1_5_8w4q3sol_.arc      NO NO

    /u01/fast_recovery_area/MIKE/archivelog/2013_06_20/o1_mf_1_6_8w4qc0yo_.arc      NO NO

    /u01/fast_recovery_area/MIKE/archivelog/2013_06_20/o1_mf_1_7_8w564nnh_.arc      NO NO

    /u01/fast_recovery_area/MIKE/archivelog/2013_06_20/o1_mf_1_8_8w56c7gz_.arc      NO NO

    /u01/fast_recovery_area/MIKE/archivelog/2013_06_20/o1_mf_1_9_8w56d13f_.arc      NO NO

    /u01/fast_recovery_area/MIKE/archivelog/2013_06_20/o1_mf_1_10_8w56mrcn_.arc     NO NO

    /u01/fast_recovery_area/MIKE/archivelog/2013_06_20/o1_mf_1_11_8w5bskbb_.arc     NO NO

    /u01/fast_recovery_area/MIKE/archivelog/2013_06_20/o1_mf_1_12_8w5bstfx_.arc     YES YES

    /u01/fast_recovery_area/MIKE/archivelog/2013_06_20/o1_mf_1_13_8w5byo0v_.arc     NO NO

    /u01/fast_recovery_area/MIKE/archivelog/2013_06_20/o1_mf_1_14_8w5klf20_.arc     NO NO

    /u01/fast_recovery_area/MIKE/archivelog/2013_06_20/o1_mf_1_15_8w5klxm9_.arc     NO NO

    13 rows selected.

1.3.2.4做DDL操作

    SCOTT使用者下删除一個表

    drop table test;

1.3.2.5将使用日志建立分析清單

    因為在Drop一個表之前，我已經把資料字典資訊寫入到了/u01/logmnr/newdict.ora中，是以此時我隻要将目前日志和幾個歸檔日志加入分析清單即可。

    execute dbms_logmnr.add_logfile(logfilename=>'/u01/oradata/mike/redo01.log',options=>dbms_logmnr.new);

    execute dbms_logmnr.add_logfile(logfilename=>'/u01/fast_recovery_area/MIKE/archivelog/2013_06_20/o1_mf_1_15_8w5klxm9_.arc',options=>dbms_logmnr.addfile);

    execute dbms_logmnr.add_logfile(logfilename=>'/u01/fast_recovery_area/MIKE/archivelog/2013_06_20/o1_mf_1_14_8w5klf20_.arc',options=>dbms_logmnr.addfile);

1.3.2.6使用資料字典進行分析

    execute dbms_logmnr.start_logmnr(dictfilename=>'/u01/logmnr/newdict.ora');

1.3.2.6查詢檢視分析結果

    select scn,to_char(timestamp,'yyyy-mm-dd hh24:mi:ss'),sql_redo from v$logmnr_contents

    where seg_name='TEST'and seg_owner='SCOTT';

    結果：

     SCN TO_CHAR(TIMESTAMP,'

-----------------------------

SQL_REDO

----------------------------------------------------------------------------------------------------

   1384524 2013-06-20 15:14:59

ALTER TABLE"SCOTT"."TEST" RENAME TO"BIN$35G0QjKlCuLgRAgAJ3D0FA==$0" ;

   1384527 2013-06-20 15:14:59

drop table test AS"BIN$35G0QjKlCuLgRAgAJ3D0FA==$0" ;

   1389502 2013-06-20 17:06:50

create table test(id int) tablespace stu;

   1389516 2013-06-20 17:07:00

insert into"SCOTT"."TEST"("ID") values ('99');

   1389980 2013-06-20 17:18:56

ALTER TABLE"SCOTT"."TEST" RENAME TO"BIN$35G0QjKmCuLgRAgAJ3D0FA==$0" ;

   1389982 2013-06-20 17:18:56

drop table test AS"BIN$35G0QjKmCuLgRAgAJ3D0FA==$0" ;

6 rows selected.

1.3.2.7結束logmnr

execdbms_logmnr.end_logmnr;

1.4日志挖掘總結

show parameter utl

alter system set utl_file_dir='/u01/logmnr'scope=spfile;（設定參數并重新開機執行個體）

startup force

execute dbms_logmnr_d.build(options=>dbms_logmnr_d.store_in_redo_logs);(資料字典資訊歸檔到日志)

executedbms_logmnr_d.build('dict.ora','/u01/logmnr',options=>dbms_logmnr_d.store_in_flat_file);（資料字典資訊歸檔到指定目錄）

executedbms_logmnr_d.build(dictionary_filename => 'mcdict.ora',dictionary_location=> '/u01/logmnr');(建立資料字典到指定目錄)

executedbms_logmnr.add_logfile(logfilename=>'',options=>dbms_logmnr.new);（将日志加入分析清單）

executedbms_logmnr.add_logfile(logfilename=>'',options=>dbms_logmnr.addfile);

executedbms_logmnr.start_logmnr(dictfilename=>'/u01/logmnr/dict.ora');(使用指定路徑的資料字典分析)

executesys.dbms_logmnr.start_logmnr(options=>sys.dbms_logmnr.dict_from_online_catalog);（使用日志中的資料字典分析）

select xxx from v$logmnr_contents wherexxx;（查詢挖掘後的資訊）

exec dbms_logmnr.end_logmnr;（結束挖掘）