September 27, 2007 at 9:52 am
Hi all,
Anyone know of any way in SQL Server that allow me to find record value before and after update value for auditing purpose. I know it can be done by witting trigger. But does SQL Server have some audit native way that can accomplish this? If the database is in Full log mode, would I be able to read the transaction redo log and get the before update value base on some transaction id?
There must be some way of doing this right? There are third party product that claim to be able to restore records on accidentally update or delete without restoring the whole database. So I assume they must have some way of reading the transaction log? Anyone have experience with doing this? Any help would be greatly appreciate?
Thanks,
Louis.
September 28, 2007 at 3:28 am
Louis Lam (9/27/2007)
Hi all,Anyone know of any way in SQL Server that allow me to find record value before and after update value for auditing purpose. I know it can be done by witting trigger. But does SQL Server have some audit native way that can accomplish this? If the database is in Full log mode, would I be able to read the transaction redo log and get the before update value base on some transaction id?
There must be some way of doing this right? There are third party product that claim to be able to restore records on accidentally update or delete without restoring the whole database. So I assume they must have some way of reading the transaction log? Anyone have experience with doing this? Any help would be greatly appreciate?
Thanks,
Louis.
Hi Luis,
the transaction log indeed contains the information about how data rows have changed. It contains full information for inserted and deleted rows, deltas for modified rows (if you modify only 2 bytes in a 100 byte long row, only the old two and the new two bytes will be recorded). The data is not recorded for table truncations and table drops. There are some operations like table splits, page movements that are more difficult to follow. Depends on how desperate you are, you can look at
dbcc log (dbid,-1) with tableresults
but these are difficult to understand if you have not spent working with transaction logs before. There are however third party tools. I've written one to 2000 (Log Rescue, this is free), Lumigent, Apex and Quest have a tool that works with 2005.
Regards,
Andras
September 28, 2007 at 1:57 pm
Hi Andras,
Thank you for the information. This is very helpfull 🙂 I did a simple test using this query
update test set col1 = 'hello again2'
Then I ran dbcc log (11, -1) with tableresults I got 3 three new rows, out of which I beleive this one is pertain to my transaction. Do you know where I can get information on interpreting these result. In particular, there are some column name begin with rowlog contents, I believe these must be the content of my update. But it is in some hex value, I guest? Any way to convert this to format like varchar?
Thanks.
00000015:0000019d:0003LOP_MODIFY_ROWLCX_HEAP0000:0000026c0x00006212400000015:0000019d:00010x020072057594042318848dbo.test0001:00000098000000015:0000005e:0002720575940383211526549NULLNULLNULLNULLNULLNULLNULLNULLNULLNULLNULLNULLNULLNULLNULLNULLNULLNULLNULLNULLNULLNULLNULLNULLNULLNULLNULLNULLNULLNULLNULLNULLNULLNULLNULLNULL3ACQUIRE_LOCK_IX OBJECT: 11:2073058421:0 ;ACQUIRE_LOCK_IX PAGE: 11:1:152;ACQUIRE_LOCK_X RID: 11:1:152:0NULLNULLNULLNULLNULLNULLNULLNULLNULLNULLNULLNULLNULLNULLNULLNULLNULLNULLNULLNULLNULLNULLNULLNULLNULLNULLNULLNULLNULLNULLNULLNULLNULLNULLNULLNULLNULLNULLNULLNULL0x160068656C6C6F20616761696E0x170068656C6C6F20616761696E320x0x0101000C0000755C907B00000102000402030004NULL0x00003E00150000009D010000010002006C02000000000401980000000100000043000000150000005E00000002000001000006000000000109000D00410004000D000E0000001400160068656C6C6F20616761696E010000170068656C6C6F20616761696E3200000101000C0000755C907B00000102000402030004
January 15, 2008 at 11:05 am
If you're still looking to reconstruct the data row from that Hex string, check this document out ... particularly page 40.
http://www.sans.org/reading_room/whitepapers/application/1906.php
Viewing 4 posts - 1 through 3 (of 3 total)
You must be logged in to reply to this topic. Login to reply