Click here to monitor SSC
SQLServerCentral is supported by Red Gate Software Ltd.
 
Log in  ::  Register  ::  Not logged in
 
 
 
        
Home       Members    Calendar    Who's On


Add to briefcase

audit data change, before and updated value Expand / Collapse
Author
Message
Posted Thursday, September 27, 2007 9:52 AM
SSC Rookie

SSC RookieSSC RookieSSC RookieSSC RookieSSC RookieSSC RookieSSC RookieSSC Rookie

Group: General Forum Members
Last Login: Wednesday, March 27, 2013 4:14 PM
Points: 29, Visits: 71
Hi all,

Anyone know of any way in SQL Server that allow me to find record value before and after update value for auditing purpose. I know it can be done by witting trigger. But does SQL Server have some audit native way that can accomplish this? If the database is in Full log mode, would I be able to read the transaction redo log and get the before update value base on some transaction id?

There must be some way of doing this right? There are third party product that claim to be able to restore records on accidentally update or delete without restoring the whole database. So I assume they must have some way of reading the transaction log? Anyone have experience with doing this? Any help would be greatly appreciate?

Thanks,
Louis.
Post #403606
Posted Friday, September 28, 2007 3:28 AM


Ten Centuries

Ten CenturiesTen CenturiesTen CenturiesTen CenturiesTen CenturiesTen CenturiesTen CenturiesTen Centuries

Group: General Forum Members
Last Login: Thursday, January 26, 2012 5:26 AM
Points: 1,367, Visits: 1,585
Louis Lam (9/27/2007)
Hi all,



Anyone know of any way in SQL Server that allow me to find record value before and after update value for auditing purpose. I know it can be done by witting trigger. But does SQL Server have some audit native way that can accomplish this? If the database is in Full log mode, would I be able to read the transaction redo log and get the before update value base on some transaction id?



There must be some way of doing this right? There are third party product that claim to be able to restore records on accidentally update or delete without restoring the whole database. So I assume they must have some way of reading the transaction log? Anyone have experience with doing this? Any help would be greatly appreciate?



Thanks,

Louis.


Hi Luis,

the transaction log indeed contains the information about how data rows have changed. It contains full information for inserted and deleted rows, deltas for modified rows (if you modify only 2 bytes in a 100 byte long row, only the old two and the new two bytes will be recorded). The data is not recorded for table truncations and table drops. There are some operations like table splits, page movements that are more difficult to follow. Depends on how desperate you are, you can look at
dbcc log (dbid,-1) with tableresults

but these are difficult to understand if you have not spent working with transaction logs before. There are however third party tools. I've written one to 2000 (Log Rescue, this is free), Lumigent, Apex and Quest have a tool that works with 2005.

Regards,
Andras




Andras Belokosztolszki, MCPD, PhD
GoldenGate Software
Post #403939
Posted Friday, September 28, 2007 1:57 PM
SSC Rookie

SSC RookieSSC RookieSSC RookieSSC RookieSSC RookieSSC RookieSSC RookieSSC Rookie

Group: General Forum Members
Last Login: Wednesday, March 27, 2013 4:14 PM
Points: 29, Visits: 71
Hi Andras,

Thank you for the information. This is very helpfull :) I did a simple test using this query

update test set col1 = 'hello again2'

Then I ran dbcc log (11, -1) with tableresults I got 3 three new rows, out of which I beleive this one is pertain to my transaction. Do you know where I can get information on interpreting these result. In particular, there are some column name begin with rowlog contents, I believe these must be the content of my update. But it is in some hex value, I guest? Any way to convert this to format like varchar?

Thanks.


00000015:0000019d:0003 LOP_MODIFY_ROW LCX_HEAP 0000:0000026c 0x0000 62 124 00000015:0000019d:0001 0x0200 72057594042318848 dbo.test 0001:00000098 0 00000015:0000005e:0002 72057594038321152 65 4 9 NULL NULL NULL NULL NULL NULL NULL NULL NULL NULL NULL NULL NULL NULL NULL NULL NULL NULL NULL NULL NULL NULL NULL NULL NULL NULL NULL NULL NULL NULL NULL NULL NULL NULL NULL NULL 3 ACQUIRE_LOCK_IX OBJECT: 11:2073058421:0 ;ACQUIRE_LOCK_IX PAGE: 11:1:152;ACQUIRE_LOCK_X RID: 11:1:152:0 NULL NULL NULL NULL NULL NULL NULL NULL NULL NULL NULL NULL NULL NULL NULL NULL NULL NULL NULL NULL NULL NULL NULL NULL NULL NULL NULL NULL NULL NULL NULL NULL NULL NULL NULL NULL NULL NULL NULL NULL 0x160068656C6C6F20616761696E 0x170068656C6C6F20616761696E32 0x 0x0101000C0000755C907B00000102000402030004 NULL 0x00003E00150000009D010000010002006C02000000000401980000000100000043000000150000005E00000002000001000006000000000109000D00410004000D000E0000001400160068656C6C6F20616761696E010000170068656C6C6F20616761696E3200000101000C0000755C907B00000102000402030004

Post #404234
Posted Tuesday, January 15, 2008 11:05 AM
Forum Newbie

Forum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum Newbie

Group: General Forum Members
Last Login: Tuesday, January 15, 2008 10:56 AM
Points: 1, Visits: 2
If you're still looking to reconstruct the data row from that Hex string, check this document out ... particularly page 40.

http://www.sans.org/reading_room/whitepapers/application/1906.php
Post #443144
« Prev Topic | Next Topic »

Add to briefcase

Permissions Expand / Collapse