Over the past three years since I first took a look at the
insides of a Transaction Log file, I have noticed some more great products to
enable forensics such as ApexSQL ( which makes the job simple), Lumigent Log Explorer, and other Free tools mentioned below, as
well as real world scenario that describes every step BlackHat.com
would perform in the case of the deepest dive.
about what is happening in the Transaction Log? The raison d’être of a transaction log file is to write all the
necessary information we need to recuperate any and all activity happening
against the database, hence the interest.
Every SQL Server database must have at least one log file. Here are a
few ways to take a brief look what is inside the log file itself:
DEFAULT) AS l-- more examples, and
-- 0 for minimum info, 1 for
more, 2 for detailed, 3 full, 4 full+hex
to be able read the active log files, as well as those that were archived. The archived logs gave us the option, with
the help of third party tools (or thanks to in part the query above), to effectively
interrogate the log file as if it were one mega table. The way that Lumigent Log Explorer's documentation describes it: 'to
assist you in solving or recovering from problems that may occur in a typical
database system' - gets the heart of what could be a potential point-in-time
restore. Nota Bene: Please use Full recovery model
if this is your requirement or if you are in doubt (thankfully it's a database
model default setting) here are the many reasons why.
can read and display contents of transaction log files - Internals Viewer for
SQL Server (IV). The three main components are: Allocation Map, Page Viewer,
and Transaction Log Viewer. IV integrates with SSMS and works for both SQL
Server 2005 and 2008. The tool is limited, so expect to pay for tools when full
functionality is required.
one point that no logic can explain, and thus your database integrity is in
question - not a place where any DBA wants to be naturally. Empowering yourself
to dig into the log file and resolve these types of mysteries is the main point
of this post, because you will be able to find out what the values were
before/after a change to the database, and who/what application has committed
the change, whereas before one typically disregards anomalies for lack of
forensic tools and time. This gives us
motivation to ensure that log files are archived, since we're following
Erasmus' Adages proverb to 'leave no stone unturned,' with respect to resolving
transactions as BEGIN_XACT , COMMIT_XACT), it is even therefore
possible to raise alerts for undesirable activity, e.g. someone executing data
definition language in production. Combined with Database Mail and SQL Server
Agent this can be automated
too, or in the case of Lumigent Log Explorer, one
can configure an alert for each DDL/DML command, which is perhaps useful - to
filter out problems in development. The
approach of monitoring objects during manipulation or creation will allow you to
take control of an environment progressively and proactively.
Transaction Log itself (full
list here – Appendix B):
Writing to Buffer.
that a transaction has committed.
Creating an index.
were deleted from a table.
table has been modified.
Dropping an index.
Checkpoint has finished.
physically expunged from a page, now free for new rows.
grown a database file.
that a 2-phase commit transaction was rolled back.
of a newly allocated database page.
into a user or system table.
Definition Language change - table schema was modified.
designate that an application has issued a 'SAVE TRANSACTION' command.
that a row was modified as the result of an Update command.
page created and has initialized the header of that page.
as a result of an Update command.
Transaction is in a 2-phase commit protocol.
Designates that the DBMS modified space allocation bits as the result of
allocating a new extent.
a previously allocated extent has been returned to the free pool.
sorting while creating an index.
Sorting extents as part of building an index.
The page split process has been dumped.
the Checkpoint, open transactions were detected.
Special thanks to Aliaksei Yauseichyk for his contributions to this post, and for being an enthusiastic new colleague!