From jkstill@cybcon.com Wed, 14 Feb 2001 14:38:31 -0800 From: jkstill@cybcon.com Date: Wed, 14 Feb 2001 14:38:31 -0800 Subject: LogMiner and Auditing Message-ID: MIME-Version: 1.0 Content-Type: text/plain FYI: Resent with a different subject ----------------- I've seen a few posts on the list lately suggesting the use of LogMiner as an auditing tool. I have serious doubts about it's use in this capacity. Imagine the following scenario. Duhveloper: 'We just discovered that someone dropped a critical table in our system. We think some unauthorized person has access to one of our production accounts! We need to find out who this was!' ( duhvelopers always speak with exclamation points ) DBA: 'Is this the same database that was installed by the vendor with default passwords? The same database that I'm not allowed to change the default passwords on?' Duhveloper: 'Uh, yeah, right.' ( Well, maybe not always ) DBA: 'OK, I may not be able to tell you who did it, but I can pinpoint when it happened with LogMiner.' Duhveloper: 'Great! How soon we get an answer!' DBA: 'That depends on how closely you can narrow down the window I have to look in. Approximately when did happen?' Duhveloper: 'Well, we didn't find out til this morning. The last time anyone can recall looking at the table was 10 days ago.' DBA: 'This system generates a 500m log file 3 times an hour, 24x7. That means that a worst case scenario is I process 720 Archive log files, many of which are on tape, so I must bring those back 20 files at a time, as the largest disk space I can spare is 10 gig. Working fulltime I may be able to give you that answer in 30 days.' Duhveloper: 'Oh. Well maybe we don't need it that bad. I know what we can do! Why don't you change the default system passwords on that database. I don't know why you didn't do it as soon as the vendor left!' ( Duhveloper skulks away when DBA's face turns a lovely shade of crimson and appears to be on the verge of burying Pompeii in an ash flow. ) Seriously, has anyone successfully used LogMiner for auditing in a production database. Joe, your input here would be appreciated. Jared -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: INET: jkstill@cybcon.com Fat City Network Services -- (858) 538-5051 FAX: (858) 538-5051 San Diego, California -- Public Internet access / Mailing Lists -------------------------------------------------------------------- To REMOVE yourself from this mailing list, send an E-Mail message to: ListGuru@fatcity.com (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).