Click here to monitor SSC
SQLServerCentral is supported by Red Gate Software Ltd.
 
Log in  ::  Register  ::  Not logged in
 
 
 
        
Home       Members    Calendar    Who's On


Add to briefcase ««12

Using ::fn_dblog() to find who deleted the rows in a table. Expand / Collapse
Author
Message
Posted Wednesday, December 26, 2012 5:59 PM
SSC Rookie

SSC RookieSSC RookieSSC RookieSSC RookieSSC RookieSSC RookieSSC RookieSSC Rookie

Group: General Forum Members
Last Login: Monday, April 28, 2014 5:50 PM
Points: 37, Visits: 303

Thank you very much for the advice.
Actualy We have both CDC as well as Auditing in place for the prod database. But this was a local environment. Where we have many sysadmins. I know it is a worst practice. I am new here and I adviced them not to. But they want it to stay this way.

Regards

Post #1400424
Posted Thursday, December 27, 2012 2:37 AM


SSC-Forever

SSC-ForeverSSC-ForeverSSC-ForeverSSC-ForeverSSC-ForeverSSC-ForeverSSC-ForeverSSC-ForeverSSC-ForeverSSC-ForeverSSC-ForeverSSC-ForeverSSC-ForeverSSC-ForeverSSC-Forever

Group: General Forum Members
Last Login: Yesterday @ 8:31 AM
Points: 40,456, Visits: 36,912
krishnarajeesh (12/23/2012)
That is OPERATION 'LOP_DELETE_ROWS' will not have have the login info, where as "LOP_BEGIN_XACT" for that delete will have.


No, it won't. It has the database user info, not the login info.



Gail Shaw
Microsoft Certified Master: SQL Server 2008, MVP
SQL In The Wild: Discussions on DB performance with occasional diversions into recoverability

We walk in the dark places no others will enter
We stand on the bridge and no one may pass

Post #1400513
Posted Thursday, December 27, 2012 6:50 AM


SSC-Insane

SSC-InsaneSSC-InsaneSSC-InsaneSSC-InsaneSSC-InsaneSSC-InsaneSSC-InsaneSSC-InsaneSSC-InsaneSSC-InsaneSSC-Insane

Group: General Forum Members
Last Login: Today @ 2:38 AM
Points: 20,816, Visits: 32,751
dedicatedtosql (12/26/2012)

Thank you very much for the advice.
Actualy We have both CDC as well as Auditing in place for the prod database. But this was a local environment. Where we have many sysadmins. I know it is a worst practice. I am new here and I adviced them not to. But they want it to stay this way.

Regards



Looks to me like you need to set up auditing and CDC in this environment as well.



Lynn Pettis

For better assistance in answering your questions, click here
For tips to get better help with Performance Problems, click here
For Running Totals and its variations, click here or when working with partitioned tables
For more about Tally Tables, click here
For more about Cross Tabs and Pivots, click here and here
Managing Transaction Logs

SQL Musings from the Desert Fountain Valley SQL (My Mirror Blog)
Post #1400601
Posted Friday, December 28, 2012 12:42 PM
Old Hand

Old HandOld HandOld HandOld HandOld HandOld HandOld HandOld Hand

Group: General Forum Members
Last Login: Wednesday, November 26, 2014 2:16 PM
Points: 320, Visits: 966
If you have default trace records from around the time of the delete, you may be able to compile a list of suspects. Hopefully you do not too may people that have sysadmin access on your system.
Post #1401020
Posted Friday, December 28, 2012 1:20 PM


SSChampion

SSChampionSSChampionSSChampionSSChampionSSChampionSSChampionSSChampionSSChampionSSChampionSSChampion

Group: General Forum Members
Last Login: Yesterday @ 1:08 PM
Points: 12,927, Visits: 32,333
arnipetursson (12/28/2012)
If you have default trace records from around the time of the delete, you may be able to compile a list of suspects. Hopefully you do not too may people that have sysadmin access on your system.


That won't help, I'm afraid.
the default trace captured DDL changes..CREATE TABLE/INDEX etc kinds of things.

it does not capture any DML statements like INSERT/UPDATE/DELETE; for that you need a different custom trace set up prior to the changes occurring to get any relevant info from any trace.


Lowell

--There is no spoon, and there's no default ORDER BY in sql server either.
Actually, Common Sense is so rare, it should be considered a Superpower. --my son
Post #1401038
Posted Friday, December 28, 2012 2:31 PM
Old Hand

Old HandOld HandOld HandOld HandOld HandOld HandOld HandOld Hand

Group: General Forum Members
Last Login: Wednesday, November 26, 2014 2:16 PM
Points: 320, Visits: 966
I am aware of that.
However you can deduce who is doing what based on the entries in the default trace.
Post #1401064
Posted Wednesday, October 30, 2013 1:05 PM
Forum Newbie

Forum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum Newbie

Group: General Forum Members
Last Login: Monday, January 6, 2014 7:22 AM
Points: 1, Visits: 26
use tempdb
go
SELECT
[Current LSN],
[Operation],
[Transaction ID],
[Description], SPID,[Begin Time], [Transaction SID],
name 'LoginName'
FROM fn_dblog (NULL, NULL),
(select sid,name from sys.syslogins) sl
where [Transaction Name] LIKE '%delete%' and [Transaction SID] = sl.sid

my be it help's

Regards,
Satyam
Post #1509918
Posted Wednesday, October 30, 2013 3:51 PM


SSC-Dedicated

SSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-Dedicated

Group: General Forum Members
Last Login: Yesterday @ 8:55 PM
Points: 35,618, Visits: 32,214
arnipetursson (12/28/2012)
I am aware of that.
However you can deduce who is doing what based on the entries in the default trace.


How? How can you deduce who did a simple delete on a table from anything that appears in the default trace? I'm asking not as a challenge... I'm asking because, if you've actually been able to pull that off, I'd REALLY like to know because it would be incredibly useful.


--Jeff Moden
"RBAR is pronounced "ree-bar" and is a "Modenism" for "Row-By-Agonizing-Row".

First step towards the paradigm shift of writing Set Based code:
Stop thinking about what you want to do to a row... think, instead, of what you want to do to a column."

(play on words) "Just because you CAN do something in T-SQL, doesn't mean you SHOULDN'T." --22 Aug 2013

Helpful Links:
How to post code problems
How to post performance problems
Post #1509965
Posted Wednesday, October 30, 2013 5:13 PM
Old Hand

Old HandOld HandOld HandOld HandOld HandOld HandOld HandOld Hand

Group: General Forum Members
Last Login: Wednesday, November 26, 2014 2:16 PM
Points: 320, Visits: 966
I have been able to deduce from seeing other activity by logins with sa privileges around the time of a given event.
E.g. tempdb object creation or worse yet sort warnings.

All it tells you is that a given login from a given server was active at a certain time.

Presumably a small list of logins has the ability to delete data.

I have found the culprit causing slowness at a given time, by finding sort warnings related to certain sessions.

All I am saying is that you can come up with a list of people to ask if you get lucky.

Post #1509984
« Prev Topic | Next Topic »

Add to briefcase ««12

Permissions Expand / Collapse