Hoping someone can explain why I am running into the issue seen
below. I do a select count(*) from sys.aud$ and get one number, but
when I do a delete using the same where condition I get a
substantially different number of records to be deleted.
*******************************
SQL> select count(*) from sys.aud$ where userid = 'MIKE1';
COUNT(*)
----------
33570
SQL> delete from sys.aud$ where userid = 'MIKE1';
2 rows deleted.
SQL> rollback work;
Rollback complete.
SQL> select count(*) from sys.aud$;
COUNT(*)
----------
147042
SQL> delete from sys.aud$;
12154 rows deleted.
SQL> rollback work;
Rollback complete.
*******************************
Can anyone offer a reason as to why I am seeing such differing
results?
Thank you.
Gary
|
|
0
|
|
|
|
Reply
|
 GaryA
|
12/23/2009 4:13:16 PM |
|
Forgot to mention that this is Oracle 11g on Windows 2003 Server.
The statements worked as expected in an Oracle8i environment.
-Gary
|
|
|
0
|
|
|
|
Reply
|
GaryA
|
12/23/2009 4:22:25 PM
|
|
On Dec 23, 11:22=A0am, GaryA <garyi...@yahoo.com> wrote:
> Forgot to mention that this is Oracle 11g on Windows 2003 Server.
>
> The statements worked as expected in an Oracle8i environment.
>
> -Gary
Hi Gary,
No clue. I would suggest:
1) Enable 10046 trace on your session and then issuing each.
2) Opening an SR if what is above doesn't show what is different.
Thanks,
Steve
|
|
|
0
|
|
|
|
Reply
|
Steve
|
12/23/2009 6:10:19 PM
|
|
On Dec 23, 11:13=A0am, GaryA <garyi...@yahoo.com> wrote:
> Hoping someone can explain why I am running into the issue seen
> below. =A0I do a select count(*) from sys.aud$ and get one number, but
> when I do a delete using the same where condition I get a
> substantially different number of records to be deleted.
>
> *******************************
> SQL> select count(*) from sys.aud$ where userid =3D 'MIKE1';
>
> =A0 COUNT(*)
> ----------
> =A0 =A0 =A033570
>
> SQL> delete from sys.aud$ where userid =3D 'MIKE1';
>
> 2 rows deleted.
>
> SQL> rollback work;
>
> Rollback complete.
>
> SQL> select count(*) from sys.aud$;
>
> =A0 COUNT(*)
> ----------
> =A0 =A0 147042
>
> SQL> delete from sys.aud$;
>
> 12154 rows deleted.
>
> SQL> rollback work;
>
> Rollback complete.
> *******************************
>
> Can anyone offer a reason as to why I am seeing such differing
> results?
>
> Thank you.
> Gary
Who are you connected as? Do you have sys auditing turned on? Do you
have extended auditing turned on?
Did you query the dba_audit_trail to see if new audit rows were
inserted because of your action to see what information these rows may
show?
Post your audit rules.
HTH -- Mark D Powell --
|
|
|
0
|
|
|
|
Reply
|
Mark
|
12/23/2009 8:49:59 PM
|
|
On Dec 23, 3:49=A0pm, Mark D Powell <Mark.Powe...@hp.com> wrote:
> On Dec 23, 11:13=A0am, GaryA <garyi...@yahoo.com> wrote:
>
>
>
> > Hoping someone can explain why I am running into the issue seen
> > below. =A0I do a select count(*) from sys.aud$ and get one number, but
> > when I do a delete using the same where condition I get a
> > substantially different number of records to be deleted.
>
> > *******************************
> > SQL> select count(*) from sys.aud$ where userid =3D 'MIKE1';
>
> > =A0 COUNT(*)
> > ----------
> > =A0 =A0 =A033570
>
> > SQL> delete from sys.aud$ where userid =3D 'MIKE1';
>
> > 2 rows deleted.
>
<snip>
>
> > Thank you.
> > Gary
>
> Who are you connected as? =A0Do you have sys auditing turned on? =A0Do yo=
u
> have extended auditing turned on?
>
I have tried this connected as SYS, SYSTEM, and a user account with
SELECT and DELETE privileges on SYS.AUD$.
Sys auditing is false. Extended auditing is also off.
audit_sys_operations=3DFALSE
audit_trail=3DDB
> Did you query the dba_audit_trail to see if new audit rows were
> inserted because of your action to see what information these rows may
> show?
>
> Post your audit rules.
>
> HTH -- Mark D Powell --
I've discovered that if I connect "AS SYSDBA", I can delete the rows
as expected. However, when I connect simply as "SYS", I get the
results shown in the initial post. I'm now making an assumption that
perhaps something has changed in regards to security on the AUD$ table
between Oracle8 (where "AS SYSDBA" didn't seem to be required to
delete the rows) and Oracle11.
-Gary
|
|
|
0
|
|
|
|
Reply
|
GaryA
|
12/24/2009 2:19:26 PM
|
|
I have found the cause of the discrepancies in the records counts
after deleting records from sys.aud$, but I'm still at a loss as to
the rationale behind it.
When I connect "AS SYSDBA", I can delete all the records that meet the
section criteria.
When I do not connect "AS SYSDBA", the delete command deletes all the
sys.aud$ records meeting the criteria EXCEPT those with action# = 7,
which are audits records of other previous delete commands.
At least I now know what I have to do to resolve this issue and delete
the records I need to delete.
-Gary
|
|
|
0
|
|
|
|
Reply
|
GaryA
|
12/24/2009 4:29:44 PM
|
|
On Dec 24, 5:29=A0pm, GaryA <garyi...@yahoo.com> wrote:
> I have found the cause of the discrepancies in the records counts
> after deleting records from sys.aud$, but I'm still at a loss as to
> the rationale behind it.
>
> When I connect "AS SYSDBA", I can delete all the records that meet the
> section criteria.
>
> When I do not connect "AS SYSDBA", the delete command deletes all the
> sys.aud$ records meeting the criteria EXCEPT those with action# =3D 7,
> which are audits records of other previous delete commands.
>
> At least I now know what I have to do to resolve this issue and delete
> the records I need to delete.
>
> -Gary
I think this is (more or less) documented behaviour, see e.g.:
http://download.oracle.com/docs/cd/B19306_01/network.102/b14266/cfgaudit.ht=
m#i1011521
The point is that audit entries for auditing SYS.AUD$ can not be
deleted by "non-SYSDBA" users.
Quote from the link above: "DELETE, INSERT, UPDATE, and MERGE
operations on SYS.AUD$ table are always audited, and such audit
records are not allowed to be deleted."
Regards,
Randolf
Oracle related stuff blog:
http://oracle-randolf.blogspot.com/
Co-author of the forthcoming "OakTable Expert Oracle Practices" book:
http://www.apress.com/book/view/1430226684
http://www.amazon.com/Expert-Oracle-Practices-Database-Administration/dp/14=
30226684
|
|
|
0
|
|
|
|
Reply
|
Randolf
|
12/24/2009 9:50:24 PM
|
|
On Dec 24, 11:29=A0am, GaryA <garyi...@yahoo.com> wrote:
snip
> I have found the cause of the discrepancies in the records counts
> after deleting records from sys.aud$, but I'm still at a loss as to
> the rationale behind it.
>
> When I connect "AS SYSDBA", I can delete all the records that meet the
> section criteria.
That's pretty much a basic concept ... not surprised that people did
not understand you were not doing it already.
In posts like this it always helps if one supplies complete examples
including all the code in a script or testcase so any such assumptions
get flushed out as quickly as possible.
> When I do not connect "AS SYSDBA", the delete command deletes all the
> sys.aud$ records meeting the criteria EXCEPT those with action# =3D 7,
> which are audits records of other previous delete commands.
>
> At least I now know what I have to do to resolve this issue and delete
> the records I need to delete.
Probably looking at the oracle documentation is also a good idea.
|
|
|
0
|
|
|
|
Reply
|
hpuxrac
|
12/25/2009 2:26:53 AM
|
|
On Dec 24, 9:19=A0am, GaryA <garyi...@yahoo.com> wrote:
> On Dec 23, 3:49=A0pm, Mark D Powell <Mark.Powe...@hp.com> wrote:
>
>
>
>
>
> > On Dec 23, 11:13=A0am, GaryA <garyi...@yahoo.com> wrote:
>
> > > Hoping someone can explain why I am running into the issue seen
> > > below. =A0I do a select count(*) from sys.aud$ and get one number, bu=
t
> > > when I do a delete using the same where condition I get a
> > > substantially different number of records to be deleted.
>
> > > *******************************
> > > SQL> select count(*) from sys.aud$ where userid =3D 'MIKE1';
>
> > > =A0 COUNT(*)
> > > ----------
> > > =A0 =A0 =A033570
>
> > > SQL> delete from sys.aud$ where userid =3D 'MIKE1';
>
> > > 2 rows deleted.
>
> <snip>
>
>
>
> > > Thank you.
> > > Gary
>
> > Who are you connected as? =A0Do you have sys auditing turned on? =A0Do =
you
> > have extended auditing turned on?
>
> I have tried this connected as SYS, SYSTEM, and a user account with
> SELECT and DELETE privileges on SYS.AUD$.
> Sys =A0auditing is false. =A0Extended auditing is also off.
>
> audit_sys_operations=3DFALSE
> audit_trail=3DDB
>
> > Did you query the dba_audit_trail to see if new audit rows were
> > inserted because of your action to see what information these rows may
> > show?
>
> > Post your audit rules.
>
> > HTH -- Mark D Powell --
>
> I've discovered that if I connect "AS SYSDBA", I can delete the rows
> as expected. =A0However, when I connect simply as "SYS", I get the
> results shown in the initial post. =A0I'm now making an assumption that
> perhaps something has changed in regards to security on the AUD$ table
> between Oracle8 (where "AS SYSDBA" didn't seem to be required to
> delete the rows) and Oracle11.
>
> =A0-Gary- Hide quoted text -
>
> - Show quoted text -
Gad you figured it out.
-- Mark D Powell --
|
|
|
0
|
|
|
|
Reply
|
Mark
|
12/26/2009 3:12:29 AM
|
|
|
8 Replies
454 Views
(page loaded in 0.159 seconds)
|
Search |
Post Question |
Groups |
Stream |
About |
Register
21488 articles. 
9 followers. 