用户频繁被锁追踪定位问题
方法1:
==============================================================
建立触发器监控找到用户被锁的源头 输出到alert日志中
当有用户尝试登陆失败后,alert日志里记录了如下信息:
Wed Mar 30 19:36:37 2016 logon denied from 172.16.0.10 Administrator with plsqldev.exe
Wed Mar 30 19:37:32 2016 logon denied from 20452 oracle with sqlplus@test (TNS V1-V3)
该trigger只是记录登陆失败的信息,正常成功登陆不会记录。
如下:
create or replace trigger logon_denied_to_alert
after servererror on database
declare
message varchar2(120);
IP varchar2(15);
v_os_user varchar2(80);
v_module varchar2(50);
v_action varchar2(50);
v_pid varchar2(10);
v_sid number;
begin
IF (ora_is_servererror(1017)) THEN
if sys_context('userenv', 'network_protocol') = 'tcp' then
IP := sys_context('userenv', 'ip_address');
else
select distinct sid into v_sid from sys.v_$mystat;
SELECT p.SPID
into v_pid
FROM V$PROCESS p, V$SESSION v
WHERE p.ADDR = v.PADDR
AND v.sid = v_sid;
end if;
v_os_user := sys_context('userenv', 'os_user');
dbms_application_info.READ_MODULE(v_module, v_action);
message := to_char(sysdate, 'Dy Mon dd HH24:MI:SS YYYY') ||
' logon denied from ' || nvl(IP, v_pid) || ' ' || v_os_user ||
' with ' || v_module || ' ' || v_action;
sys.dbms_system.ksdwrt(2, message);
end if;
end;
/
==============================================================
以上方法参考MOS文档
Finding the source of failed login attempts. [ID 352389.1]
另附了一份审计相关的MOS文档 拓展思路
How to Audit User Connection, Disconnection Date and Time [ID 99786.1]
==============================================================
方法2:
==============================================================
当然 可采用另一种简洁方法如下:
--首先建一个表,用于存储用户登录时的会话信息。
create table LOG$INFORMATION
(
LOGON_TIME TIMESTAMP,
HOST_NAME VARCHAR2(100),
USERNAME VARCHAR2(40),
SCHEMANAME VARCHAR2(40),
SESSIONUSER VARCHAR2(40),
IP_ADDRESS VARCHAR2(100)
);
--建一个登录触发器来记录登录时的会话信息:
CREATE OR REPLACE TRIGGER TR_LOGIN_RECORD
AFTER LOGON ON DATABASE
BEGIN
INSERT INTO LOG$INFORMATION
select
systimestamp,
sys_context('USERENV','HOST'),
sys_context('USERENV','CURRENT_USER'),
sys_context('USERENV','CURRENT_SCHEMA'),
sys_context('USERENV','SESSION_USER'),
sys_context('USERENV','IP_ADDRESS')
from dual;
COMMIT;
EXCEPTION
WHEN OTHERS THEN
NULL;
END;
/
--经过一段时间后,我们再来查看记录的数据:
select host_name,sessionuser,ip_address,count(*)
from log$information group by host_name,sessionuser,ip_address
having count(*)>=1
==============================================================
建立触发器监控找到用户被锁的源头 输出到alert日志中
当有用户尝试登陆失败后,alert日志里记录了如下信息:
Wed Mar 30 19:36:37 2016 logon denied from 172.16.0.10 Administrator with plsqldev.exe
Wed Mar 30 19:37:32 2016 logon denied from 20452 oracle with sqlplus@test (TNS V1-V3)
该trigger只是记录登陆失败的信息,正常成功登陆不会记录。
如下:
create or replace trigger logon_denied_to_alert
after servererror on database
declare
message varchar2(120);
IP varchar2(15);
v_os_user varchar2(80);
v_module varchar2(50);
v_action varchar2(50);
v_pid varchar2(10);
v_sid number;
begin
IF (ora_is_servererror(1017)) THEN
if sys_context('userenv', 'network_protocol') = 'tcp' then
IP := sys_context('userenv', 'ip_address');
else
select distinct sid into v_sid from sys.v_$mystat;
SELECT p.SPID
into v_pid
FROM V$PROCESS p, V$SESSION v
WHERE p.ADDR = v.PADDR
AND v.sid = v_sid;
end if;
v_os_user := sys_context('userenv', 'os_user');
dbms_application_info.READ_MODULE(v_module, v_action);
message := to_char(sysdate, 'Dy Mon dd HH24:MI:SS YYYY') ||
' logon denied from ' || nvl(IP, v_pid) || ' ' || v_os_user ||
' with ' || v_module || ' ' || v_action;
sys.dbms_system.ksdwrt(2, message);
end if;
end;
/
==============================================================
以上方法参考MOS文档
Finding the source of failed login attempts. [ID 352389.1]
另附了一份审计相关的MOS文档 拓展思路
How to Audit User Connection, Disconnection Date and Time [ID 99786.1]
==============================================================
方法2:
==============================================================
当然 可采用另一种简洁方法如下:
--首先建一个表,用于存储用户登录时的会话信息。
create table LOG$INFORMATION
(
LOGON_TIME TIMESTAMP,
HOST_NAME VARCHAR2(100),
USERNAME VARCHAR2(40),
SCHEMANAME VARCHAR2(40),
SESSIONUSER VARCHAR2(40),
IP_ADDRESS VARCHAR2(100)
);
--建一个登录触发器来记录登录时的会话信息:
CREATE OR REPLACE TRIGGER TR_LOGIN_RECORD
AFTER LOGON ON DATABASE
BEGIN
INSERT INTO LOG$INFORMATION
select
systimestamp,
sys_context('USERENV','HOST'),
sys_context('USERENV','CURRENT_USER'),
sys_context('USERENV','CURRENT_SCHEMA'),
sys_context('USERENV','SESSION_USER'),
sys_context('USERENV','IP_ADDRESS')
from dual;
COMMIT;
EXCEPTION
WHEN OTHERS THEN
NULL;
END;
/
--经过一段时间后,我们再来查看记录的数据:
select host_name,sessionuser,ip_address,count(*)
from log$information group by host_name,sessionuser,ip_address
having count(*)>=1
order by 4;
==============================================================
注:要注意过多的短连接风险,会导致数据库hung死。短期监控,得到答案可考虑立即干掉触发器。