跟踪数据库结构的变化
Bab*_*bak 4 sql-server sql-server-2008-r2
我们的数据库发生了变化,其中一个 SP 已被删除。我们不知道是谁做的,什么时候做的。
有什么办法可以查到吗?或者启用一个选项以便将来能够跟踪它?
有几种方法可以进行此类取证分析:
使用默认跟踪(前提是默认跟踪正在运行)。默认跟踪创建 5 个 *.TRC 文件,当它们到达 20 MB 大小时会被回收。:
Run Code Online (Sandbox Code Playgroud)-- create a test procedure .. so that we can drop it use test_kin go create procedure usp_ABOUT_TO_DELETE as select name from sysobjects where type = 'U' order by name -- now drop the procedure drop procedure usp_ABOUT_TO_DELETE
以下是从默认跟踪中获取详细信息的 sql:
Run Code Online (Sandbox Code Playgroud)/* Object Altered Object Created Object Deleted */ SELECT TE.NAME ,v.subclass_name ,DB_NAME(t.DatabaseId) AS DBName ,T.NTDomainName ,t.NTUserName ,t.HostName ,t.ApplicationName ,t.LoginName ,t.Duration ,t.StartTime ,t.ObjectName ,CASE t.ObjectType WHEN 8259 THEN 'Check Constraint' WHEN 8260 THEN 'Default (constraint or standalone)' WHEN 8262 THEN 'Foreign-key Constraint' WHEN 8272 THEN 'Stored Procedure' WHEN 8274 THEN 'Rule' WHEN 8275 THEN 'System Table' WHEN 8276 THEN 'Trigger on Server' WHEN 8277 THEN '(User-defined) Table' WHEN 8278 THEN 'View' WHEN 8280 THEN 'Extended Stored Procedure' WHEN 16724 THEN 'CLR Trigger' WHEN 16964 THEN 'Database' WHEN 16975 THEN 'Object' WHEN 17222 THEN 'FullText Catalog' WHEN 17232 THEN 'CLR Stored Procedure' WHEN 17235 THEN 'Schema' WHEN 17475 THEN 'Credential' WHEN 17491 THEN 'DDL Event' WHEN 17741 THEN 'Management Event' WHEN 17747 THEN 'Security Event' WHEN 17749 THEN 'User Event' WHEN 17985 THEN 'CLR Aggregate Function' WHEN 17993 THEN 'Inline Table-valued SQL Function' WHEN 18000 THEN 'Partition Function' WHEN 18002 THEN 'Replication Filter Procedure' WHEN 18004 THEN 'Table-valued SQL Function' WHEN 18259 THEN 'Server Role' WHEN 18263 THEN 'Microsoft Windows Group' WHEN 19265 THEN 'Asymmetric Key' WHEN 19277 THEN 'Master Key' WHEN 19280 THEN 'Primary Key' WHEN 19283 THEN 'ObfusKey' WHEN 19521 THEN 'Asymmetric Key Login' WHEN 19523 THEN 'Certificate Login' WHEN 19538 THEN 'Role' WHEN 19539 THEN 'SQL Login' WHEN 19543 THEN 'Windows Login' WHEN 20034 THEN 'Remote Service Binding' WHEN 20036 THEN 'Event Notification on Database' WHEN 20037 THEN 'Event Notification' WHEN 20038 THEN 'Scalar SQL Function' WHEN 20047 THEN 'Event Notification on Object' WHEN 20051 THEN 'Synonym' WHEN 20549 THEN 'End Point' WHEN 20801 THEN 'Adhoc Queries which may be cached' WHEN 20816 THEN 'Prepared Queries which may be cached' WHEN 20819 THEN 'Service Broker Service Queue' WHEN 20821 THEN 'Unique Constraint' WHEN 21057 THEN 'Application Role' WHEN 21059 THEN 'Certificate' WHEN 21075 THEN 'Server' WHEN 21076 THEN 'Transact-SQL Trigger' WHEN 21313 THEN 'Assembly' WHEN 21318 THEN 'CLR Scalar Function' WHEN 21321 THEN 'Inline scalar SQL Function' WHEN 21328 THEN 'Partition Scheme' WHEN 21333 THEN 'User' WHEN 21571 THEN 'Service Broker Service Contract' WHEN 21572 THEN 'Trigger on Database' WHEN 21574 THEN 'CLR Table-valued Function' WHEN 21577 THEN 'Internal Table (For example, XML Node Table, Queue Table.)' WHEN 21581 THEN 'Service Broker Message Type' WHEN 21586 THEN 'Service Broker Route' WHEN 21587 THEN 'Statistics' WHEN 21825 THEN 'User' WHEN 21827 THEN 'User' WHEN 21831 THEN 'User' WHEN 21843 THEN 'User' WHEN 21847 THEN 'User' WHEN 22099 THEN 'Service Broker Service' WHEN 22601 THEN 'Index' WHEN 22604 THEN 'Certificate Login' WHEN 22611 THEN 'XMLSchema' WHEN 22868 THEN 'Type' ELSE 'Hmmm???' END AS ObjectType FROM [fn_trace_gettable](CONVERT(VARCHAR(150), ( SELECT TOP 1 value FROM [fn_trace_getinfo](NULL) WHERE [property] = 2 )), DEFAULT) T INNER JOIN sys.trace_events TE ON T.EventClass = TE.trace_event_id INNER JOIN sys.trace_subclass_values v ON v.trace_event_id = TE.trace_event_id AND v.subclass_value = t.EventSubClass WHERE TE.NAME IN ( 'Object:Created' ,'Object:Deleted' ,'Object:Altered' ) -- filter statistics created by SQL server AND t.ObjectType NOT IN (21587) -- filter tempdb objects AND DatabaseID <> 2 -- get only events in the past 24 hours AND StartTime > DATEADD(HH, - 24, GETDATE()) ORDER BY t.StartTime DESC;深入研究事务日志- 更先进!请注意未记录的fn_dblog的使用。
找出交易ID
Run Code Online (Sandbox Code Playgroud)SELECT [Current LSN] ,Operation ,[AllocUnitName] ,[Lock Information] ,[Transaction ID] ,[Description] ,[Begin Time] ,[Transaction Name] ,[Transaction SID] FROM fn_dblog(NULL, NULL) WHERE [Operation] = N'LOP_DELETE_ROWS' AND [AllocUnitName] = N'sys.sysschobjs.clst' --- change here for the object name you think got dropped/deleted --- can be table, stored procedure, etc AND CHARINDEX(cast(N'ABOUT_TO_DELETE' AS VARBINARY(4000)), [Log Record]) > 0现在根据上面的交易ID找出交易:
Run Code Online (Sandbox Code Playgroud)SELECT [Current LSN] ,Operation ,[AllocUnitName] ,[Lock Information] ,[Transaction ID] ,[Description] ,[Begin Time] ,[Transaction Name] ,SUSER_SNAME([Transaction SID]) as CULPRIT_USER -- WE Got the Cluprit!! FROM fn_dblog(NULL, NULL) WHERE [Transaction ID] = N'0000:0000026c';
优秀参考:
小智 7
对于已经被删除的存储过程,唯一的选择是挖掘在线事务日志或事务日志备份(以防数据库处于完整恢复模式)。
上面提到的fn_dblog仅在交易仍在在线交易日志中时才提供请求的信息。要读取事务日志备份,请使用fn_dump_dblog。查看 Paul Randal 的文章:
使用 fn_dblog、fn_dump_dblog 并使用 STOPBEFOREMARK 恢复到 LSN
要读取事务日志(联机、分离和事务日志备份),除了使用未记录的函数外,您还可以使用第三方工具,例如ApexSQL Log。它可以显示谁以及何时删除了存储过程,并且还将提供重新创建它的脚本。
将来,您还可以使用SQL Server 审核功能,只需确保已指定要审核的所有事件。
免责声明:我作为支持工程师为 ApexSQL 工作