Audit the Oracle Database Without Compromising Performance: Dbvisit Replicate’s Hidden “Gem”

Owned by Clive Otten (Unlicensed)
Jan 20, 2020
13 min read

Auditing production database activity is an important administrative process, which should not be ignored.  Those who consider auditing unnecessary ignore it at their peril!. There are several techniques offered by Oracle to audit the database, in both Standard Edition (SE) and Enterprise Edition (EE), from the audit command and fine grained auditing, through to manual audit triggers. 

Regardless of the method used, auditing a database always impacts its performance. Auditing requires forethought about what exactly needs to be audited because, when enabled, it adds overhead in terms of resource utilisation and  space consumption. Poorly designed or unplanned approaches can lead to catastrophe. For example: AUD$ extends throughout the SYSTEM tablespace and could hang the database.

The audit feature of Dbvisit Replicate, one of its hidden gems, is mainly used in conjunction with ELT processing to load data changes in real time into the data warehouse.  It reduces the primary system load, and provides real time updates to the data warehouse. But this can also be employed to capture data changes made to specified schemas and tables in the primary database, for the purpose of analysis.

Along with recording data changes, Dbvisit Replicate also captures auditing information such as the type of DML operation, SCN, timestamp of DML, commit timestamp of DML, transition id, Oracle session ID, Oracle user and client information (hostname, process id, OS username, Application name, OS terminal). One of the key features, unlike traditional auditing options however, is that Dbvisit Replicate can be configured to audit data changes without impacting the performance of the database. And this harvested audit trail can then be written to a different database.

In short Dbvisit Replicate can be seen as the smart alternative for audit requirements over against the traditional approaches. So let’s take a look at how this works... By default the MINE process of Dbvisit Replicate runs on the primary database server, reads the redo (and archive logs if processing falls behind) to capture the data changes. Due to Dbvisit Replicate’s flexible architecture, we can also offload the MINE process to an intermediate server and instruct MINE to read only redo logs transferred by the lightweight FETCHER process, which has negligible impact on the source database/server. 

Another option can also be to have MINE read the archive, rather than redo, logs. So there are a number of different possible configurations that can be employed. In the following example, I have described the step-by-step configuration of Dbvisit Replicate for auditing data changes made to a table called ORDERS in my test environment, without impacting the performance of the source database. Environment

 

Server (Linux)

Database

Schema

Table

Source

dbvlin203

dbl203

test1

Orders

Target

dbvlin204

dbl204

test1

Orders_audit

Following is the structure of the Orders table:

SQL> desc orders; Name Null? Type ----------------------------------------- ORDER_DATE NOT NULL TIMESTAMP(6) WITH LOCAL TIME ZONE ORDER_MODE VARCHAR2(8) CUSTOMER_ID NOT NULL NUMBER(12) ORDER_STATUS NUMBER(2) ORDER_TOTAL NUMBER(8,2) SALES_REP_ID NUMBER(6) PROMOTION_ID NUMBER(6) WAREHOUSE_ID NUMBER(6) DELIVERY_TYPE VARCHAR2(15) COST_OF_DELIVERY NUMBER(6) WAIT_TILL_ALL_AVAILABLE VARCHAR2(15) DELIVERY_ADDRESS_ID NUMBER(12) CUSTOMER_CLASS VARCHAR2(30) CARD_ID NUMBER(12) INVOICE_ADDRESS_ID NUMBER(12) SQL>

Config 1. Running the Setup Wizard:  In the first step of the Dbvisit Replicate setup wizard we specify source and target databases as usual, as we would do for “standard” (non-audit) replication. It is Steps 2 and 3 , however, which are critical for configuring Dbvisit Replicate for auditing. Setup Wizard - Step 2:

  • Choose “ddl-only” in “Lock and copy the data initially one-by-one or at a single SCN?” question. -       Choose “ddl-run” in “What data instantiation script to create?” question.

Step 2 - Replication pairs ======================================== The second step is to set source and targets for each replication pair. Let's configure the replication pair, selecting source and target. Following databases are described: 1: dbl203 (Oracle) 2: dbl204 (Oracle) Select source database: [1] Select target database: [2] Will DDL replication be enabled? [yes] Use fetcher to offload the mining to a different server? (yes/no) [no] Would you like to encrypt the data across the network (yes or no) [no] Would you like to compress the data across the network (yes or no) [no] How long do you want to set the network timeouts. Recommended range between 60-300 seconds [60] Lock and copy the data initially one-by-one or at a single SCN? one-by-one : Lock tables one by one and capture SCN single-scn : One SCN for all tables ddl-only : Only DDL script for target objects resetlogs : Use SCN from last resetlogs operation (standby activation, rman incomplete recovery) no-lock : Do not lock tables. Captures previous SCN of oldest active transaction. Requires pre-requisite running of pre-all.sh script (one-by-one/single-scn/ddl-only/resetlogs/no-lock) [single-scn] ddl-only What data instantiation script to create? dp_networklink : Data Pump with network link. No export datafile is created (APPLY.sh) dp_exp : Data Pump with export datafile. Creates an export datafile (APPLY.sh) exp : Pre-datapump exp/imp with export datafile (APPLY.sh) ddl_file : DDL file created (APPLY.sql) ddl_run : DDL is automatically executed on target load : All replicated data is created and loaded automatically none (dp_networklink/dp_exp/exp/ddl_file/ddl_run/load/none) [ddl_file] ddl_run Following replication pairs are now configured: 1: dbl203 (Oracle) ==> dbl204 (Oracle), DDL: yes, fetcher: no, process suffix: (no suffix), compression: no, encryption: no, network timeout: 60, prepare type: ddl-only, data load: ddl_run Enter number of replication pair to modify it, or "add", or "done": [done]

Selecting these two options instructs Dbvisit Replicate to create the audit table in target database when the APPLY process is started. It will do this automatically, and does not require additional manual configuration. Setup Wizard - Step 3: In step 3 of the setup wizardwe have the option to rename the target table if desired, as by default Dbvisit Replicate will assign it the same name as the source. We also activate the audit feature and select particular audit information we want to retrieve.

Step 3 - Replicated tables ======================================== The third step is to choose the schemas and tables to be replicated. If the databases are reachable, the tables are checked for existence, datatype support, etc., schemas are queried for tables. Note that all messages are merely hints/warnings and may be ignored if issues are rectified before the scripts are actually executed. Following tables are defined for replication pairs: 1: dbl203 (Oracle) ==> dbl204 (Oracle), DDL: yes, suffix: (no suffix), prepare: ddl-only No tables defined. Enter number of replication pair to modify it, or "done": [1] Please enter list of all individual tables to be replicated. Enter schema name(s) only to replicate all tables in that schema. Use comma or space to delimit the entries. Enter the tables and schemas: [] test1.orders Selected tables: TEST1.ORDERS Add more tables or schemas? (YES/NO) [NO] To replicate changes of PL/SQL objects in schema(s), please enter the schemas to be replicated. Note that specifying any entry will cause additional privileges to be granted to dbvrep. Enter through a comma or space-delimited list. Enter the list of schemas (PL/SQL): [] You can also specify some advanced options: 1. Exclude some tables from schema-level replication 2. Rename schemas or tables. 3. Specify filtering conditions. 4. (Tables only) Configure Change Data Capture; this does not maintain a copy of the source table, but logs all operations as separate entries. This is useful for ETL or as an audit trail. This usually requires adding of new columns (timestamps, old/new values etc.) to the target table. Specify rename name, filter condition, CDC/Audit/ETL for any of the specified tables (yes/no): [no] yes Rename SCHEMA name for TEST1.ORDERS (empty means no rename): [] Rename TABLE name for TEST1.ORDERS (empty means no rename): [] orders_audit Filter the data to be replicated? If yes, use single condition for ALL DML operations or use CUSTOM conditions for each operation? (NO/ALL/CUSTOM) [NO] Configure change data capture for change auditing or real-time BI? (NO/YES) [NO] yes Capture DELETE operations? (YES/NO) [YES] Capture UPDATE operations - old values? (YES/NO) [YES] Capture UPDATE operations - new values? (YES/NO) [YES] Capture INSERT operations? (YES/NO) [YES] The columns at the target table can be called the same as on the source table, or they can be prefixed to indicate whether they contain old or new values. As both new and old values for update are specified, at least one prefix has to be defined. Prefix for columns with OLD values: [] old_ Prefix for columns with NEW values: [] new_ Dbvisit Replicate can include additional information into the target table; this can be used to identify type of change, when it occurred, who initiated the change etc. Add basic additional information about the changes? (SCN, time, operation type) (YES/NO) [YES] Add more transactional information? (transaction id, commit time) (YES/NO) [NO] yes Add auditing columns? (login user, machine, OS user...) (YES/NO) [NO] yes Setup wizard chose following default names for the columns; you can use them or choose own names. Note that empty answer confirms the proposed default; use "-" (minus) to remove the column from the CDC. CLIENT_INFO: Client info (cliinfo) CURRENT_USER: Current user (cuser) LOGON_USER: Logon user (luser) MACHINE: Client machine name (machine) OPERATION: Operation code (U/I/D) (opcol) OS_PROC_ID: OS process id (osproc) OS_PROG: OS program name (osprog) OS_TERM: OS terminal (osterm) OS_USER: OS user (osuser) SCN: SCN at source (scn) SERIAL: Oracle session serial# (serial) SID: Oracle session ID (sid) DATE_CHANGE: Date and time of the change (timestamp_change) DATE_COMMIT: Date and time of transaction commit (timestamp_commit) TRANSACTION_ID: Transaction ID (mandatory if timestamp_commit is used; please define an index on transaction ID in such case) (xidcol) TRANSACTION_NAME: Transaction name (xidname) Accept these settings? (YES/NO) [YES] Following tables are defined for replication pairs: 1: dbl203 (Oracle) ==> dbl204 (Oracle), DDL: yes, suffix: (no suffix), prepare: ddl-only TEST1.ORDERS => TEST1.ORDERS_AUDIT Enter number of replication pair to modify it, or "done": [done]

Step-4 of the setup wizard is used to configure MINE and APPLY processes as shown hereConfig 2: Running  *-all.sh script After completing the setup wizard, we can run the *-all.sh script to execute the configuration scripts generated by the setup wizard. Following is the screenshot of my test system *-all.sh script.

Config 3: Starting MINE and APPLY processes.  The next step is to copy the APPLY ddc file and the script to start the APPLY process to the target server.

Then, as we want to keep the workload on the source system to a minimum, we instruct MINE to read from archives only by adding “set REDO_READ_METHOD=ARCHONLY” command in the MINE ddc file.

Start MINE processes

Start APPLY process.

You can now see Replication console with current status of MINE and APPLY by running start-console.sh script.

Following is the structure of the orders_audit table, created in the test1 schema of the target database by the APPLY process.

Now let’s see auditing in action. I am going to update, delete and insert a record with order_id=148 in the Orders table on the source database.

Replication Console:

Dbvisit Replicate has captured these DMLs and stored three records in the orders_audit table. There are many columns in the ORDERS_AUDIT table, therfore I am first showing values populated from DML execution on source and then audit information.

The orders_audit table can be used to monitor user activities, as well as enabling us to make use of both the old and new datasets in the ETL process of data warehousing. Conclusion: Dbvisit Replicate provides a cost effective logical data replication solution from Oracle to Oracle and out to other RDBMS platforms, allowing you to complete migrations & upgrades, provide offload reporting and manage distributed data. But don’t forget this additional hidden gem, as the audit feature is there for you to explore and embed in different data analysis solutions. If you want to know more about this audit feature or want to discuss any use cases contact us now.