Enabling Level-12 trace in SYSTEM.LOGON trigger
I am trying to enable level-12 trace for a user as soon as it login to the database.
CREATE OR REPLACE TRIGGER SYSTEM.LOGON_ASPIRE
AFTER LOGON
ON DATABASE
BEGIN
if(upper(USER) = 'U_DATAHUB') then
EXECUTE IMMEDIATE 'ALTER SESSION SET EVENTS ''10046 TRACE NAME CONTEXT FOREVER,LEVEL 12''';
execute immediate 'alter session set current_schema=DATAHUB';
end if;
I have Grant DBA to user U_DATAHUB and I am able to generatr trace for all sessions..but all the trace file is showing this error
PARSING IN CURSOR #4 len=68 dep=2 uid=5 oct=42 lid=5 tim=14297715680259 hv=753686485 ad='0'
ALTER SESSION SET EVENTS '10046 TRACE NAME CONTEXT FOREVER,LEVEL 12'
END OF STMT
PARSE #4:c=0,e=18,p=0,cr=0,cu=0,mis=0,r=0,dep=2,og=0,tim=14297715680254
ERROR #2:err=1031 tim=2228813739
Skipped error 604 during the execution of SYSTEM.LOGON_ASPIRE
*** 2008-10-24 16:09:40.272
ksedmp: internal or fatal error
ORA-00604: error occurred at recursive SQL level 1
ORA-01031: insufficient privileges
ORA-06512: at line 192
See Note:376442.1 Recommended Method for Obtaining 10046 trace for Tuning, it seems the owner of the trigger must be sys:
CREATE OR REPLACE TRIGGER SYS.LOGON_ASPIRE
AFTER LOGON
ON DATABASE
WHEN (USER = 'U_DATAHUB')
BEGIN
EXECUTE IMMEDIATE 'ALTER SESSION SET EVENTS ''10046 TRACE NAME CONTEXT FOREVER,LEVEL 12''';
execute immediate 'alter session set current_schema=DATAHUB';
END;It worked for me...
/u01/app/oracle/admin/orcl/udump/orcl_ora_21932.trcOracle Database 10g Enterprise Edition Release 10.2.0.4.0 - Production
With the Partitioning, OLAP, Data Mining and Real Application Testing options
ORACLE_HOME = /u01/app/oracle/product/10.2.0/db_1
System name: Linux
Node name: caliope.localdomain
Release: 2.6.9-67.0.0.0.1.ELsmp
Version: #1 SMP Sun Nov 18 00:23:42 EST 2007
Machine: i686
Instance name: orcl
Redo thread mounted by this instance: 1
Oracle process number: 15
Unix process pid: 21932, image: [email protected] (TNS V1-V3)
*** ACTION NAME:() 2008-09-10 06:52:45.598
*** MODULE NAME:([email protected] (TNS V1-V3)) 2008-09-10 06:52:45.598
*** SERVICE NAME:(SYS$USERS) 2008-09-10 06:52:45.598
*** SESSION ID:(159.3667) 2008-09-10 06:52:45.598
=====================
PARSING IN CURSOR #2 len=40 dep=2 uid=0 oct=42 lid=0 tim=1192429263279537 hv=4026204711 ad='0'
alter session set current_schema=DATAHUB
END OF STMT
PARSE #2:c=1000,e=123,p=0,cr=0,cu=0,mis=0,r=0,dep=2,og=0,tim=1192429263279527
EXEC #2:c=0,e=48,p=0,cr=0,cu=0,mis=0,r=0,dep=2,og=0,tim=1192429263280625
=====================
PARSING IN CURSOR #1 len=186 dep=1 uid=100 oct=47 lid=0 tim=1192429263281298 hv=2889369088 ad='4177de24'
BEGIN
EXECUTE IMMEDIATE 'ALTER SESSION SET EVENTS ''10046 TRACE NAME CONTEXT FOREVER,LEVEL 12''';
execute immediate 'alter session set current_schema=DATAHUB';
END;
END OF STMT
EXEC #1:c=2999,e=2971,p=0,cr=0,cu=0,mis=1,r=1,dep=1,og=4,tim=1192429263281290
WAIT #0: nam='SQL*Net message to client' ela= 7 driver id=1650815232 #bytes=1 p3=0 obj#=-1 tim=1192429263282196
>
Enrique
Edited by: Enrique Orbegozo on Oct 24, 2008 4:29 PM
Similar Messages
-
Enable CTIStorageServer logs in IPCCX server, setting Threshold level to TRACE.
Hi Guys,
I am tryed set the threshold level to trace (CTIStorageServer), but, I didn´t found the file in the path:
C:\Program Files\cisco\desktop\config\CTIStorageServer
Any have idea?
Thanks,
WilsonThanks for sharing this information Paul.
-
Sql server 2012 Logon trigger not working for certain logins
Hello. I created a login trigger to insert data for each login in a table, and it works for all logins except one that is format domain\login
and the login ends with the dollar sign(actual name is domain\CTXDEVDCSI1$).
I had been using varchar, but after reading other forum posts, I changed the varchar's to nvarchar's, but it still fails for that id.
The errors written to the sql server error log were the usual "login failed due to trigger execution".
I had granted insert on the rvvlogindata table in dsa to public, and only one id wasn't able to login after that.
Any suggestions would be much appreciated!
Here's the modified table ddl:
SET ANSI_NULLS ON
GO
SET QUOTED_IDENTIFIER ON
GO
CREATE TABLE [dbo].[rvvlogindata](
[sessionId] [int] NULL,
[LoginTime] [datetime] NULL,
[HostName] [nvarchar](50) NULL,
[ProgramName] [nvarchar](300) NULL,
[LoginName] [nvarchar](50) NULL,
[ClientHost] [nvarchar](50) NULL
) ON [PRIMARY]
GO
Here's the logon trigger code:
SET ANSI_NULLS ON
GO
SET QUOTED_IDENTIFIER ON
GO
create trigger [LOGIN_IP_RESTRICTION] on all server for logon
as
Begin
Declare @LogonTriggerData xml,
@EventTime datetime,
@LoginName nvarchar(50),
@ClientHost nvarchar(50),
@HostName nvarchar(50),
@AppName nvarchar(300)
Set @LogonTriggerData = eventdata()
set @EventTime = @LogonTriggerData.value('(/EVENT_INSTANCE/PostTime)[1]', 'datetime')
set @LoginName = @LogonTriggerData.value('(/EVENT_INSTANCE/LoginName)[1]', 'varchar(50)')
set @ClientHost = @LogonTriggerData.value('(/EVENT_INSTANCE/ClientHost)[1]', 'varchar(50)')
set @HostName = HOST_NAME()
set @AppName = APP_NAME()
insert into dsa.dbo.rvvlogindata
sessionId,
LoginTime,
HostName,
ProgramName,
LoginName,
ClientHost
select @@spid,
@EventTime,
convert(nvarchar(50),@HostName),
convert(nvarchar(300),@AppName),
convert(nvarchar(50),@LoginName),
convert(nvarchar(50),@ClientHost)
END
GO
SET ANSI_NULLS OFF
GO
SET QUOTED_IDENTIFIER OFF
GO
ENABLE TRIGGER [LOGIN_IP_RESTRICTION] ON ALL SERVER
GOErland, I wanted to add more info to my reply earlier today.
sp_who2 showed no blocking, activity monitor from my local PC SSMS showed no major waits or high i/o or cpu activity.
I was wondering if you have any suggestions on how to find out what was the cause of the 5+ minute wait for SSMS on the remote desktop to respond and fully come up.
I definitely can't put this in production with this hanging delay possibly occurring there.
I was connecting as read_user when it hung.
sp_who2 output at the time was:
1 BACKGROUND sa . . NULL LOG WRITER 54631 0 04/10
06:59:43
1 0
2 BACKGROUND sa . . NULL RECOVERY WRITER 8673 0 04/10 06:59:43
2 0
3 BACKGROUND sa . . NULL LAZY WRITER 300691 0 04/10
06:59:43
3 0
4 BACKGROUND sa . . NULL RESOURCE MONITOR 1207010 0 04/10 06:59:43
4 0
5 BACKGROUND sa . . NULL XE TIMER 38828 0 04/10
06:59:43
5 0
6 BACKGROUND sa . . NULL XE DISPATCHER 1404 0 04/10
06:59:43
6 0
7 BACKGROUND sa . . master SIGNAL HANDLER 0 0 04/10 06:59:43
7 0
8 BACKGROUND sa . . NULL LOCK MONITOR 179978 0 04/10
06:59:43
8 0
9 sleeping sa . . master TASK MANAGER 0 11 04/21
08:37:04
9 0
10 sleeping sa . . master TASK MANAGER 0 0 04/10
06:59:44
10 0
11 BACKGROUND sa . . master TRACE QUEUE TASK 546 0 04/10 06:59:44
11 0
12 BACKGROUND sa . . NULL SYSTEM_HEALTH_MO 4930 0 04/10 06:59:44
12 0
13 BACKGROUND sa . . NULL RECEIVE 422 0 04/10
06:59:45
13 0
14 BACKGROUND sa . . master CHECKPOINT 79137 31811 04/10
06:59:46
14 0
15 BACKGROUND sa . . master TASK MANAGER 1606 0 04/10
06:59:46
15 0
16 BACKGROUND sa . . NULL UNKNOWN TOKEN 0 0 04/10 06:59:46
16 0
17 sleeping sa . . master TASK MANAGER 0 74 04/21
08:37:04
17 0
18 sleeping sa . . master TASK MANAGER 0 0 04/21
08:18:49
18 0
19 sleeping sa . . master TASK MANAGER 0 0 04/21
08:30:29
19 0
20 sleeping sa . . master TASK MANAGER 0 1 04/21
08:37:14
20 0
21 sleeping sa . . master TASK MANAGER 0 7 04/21
08:30:59
21 0
22 sleeping sa . . master TASK MANAGER 16 4 04/21
08:37:44
22 0
23 sleeping sa . . master TASK MANAGER 0 15 04/21
08:39:24
23 0
25 BACKGROUND sa . . master BRKR EVENT HNDLR 0 95 04/10 06:59:48
25 0
30 BACKGROUND sa . . master BRKR TASK 0 0 04/10
06:59:48
30 0
31 BACKGROUND sa . . master BRKR TASK 16926 0 04/10
06:59:48
31 0
32 BACKGROUND sa . . master BRKR TASK 0 0 04/10
06:59:48
32 0
34 BACKGROUND sa . . master BRKR TASK 10701 0 04/10
06:59:48
34 0
51 sleeping edit_user INFADEVFS2 . dsa AWAITING COMMAND 0 0 04/21
03:16:56
51 0
52 sleeping reports_adm REPORTSDEVSI2 . JBOSS_Cluster_CRServer2011 AWAITING COMMAND 0 0 04/21
08:52:12 jTDS
52 0
53 sleeping NT AUTHORITY\SYSTEM SQLDEV2012 . msdb AWAITING COMMAND 0 0 04/10
06:59:58 SQLAgent - Email Logger 53 0
54 sleeping AMERICAS\CTXDEVDCSI1$ CTXDEVDCSI1 . CitrixXDFarm1 AWAITING COMMAND 0 0 04/21
08:58:51 Citrix:Broker#1 54 0
55 sleeping edit_user ASDEV1 . dsa AWAITING
COMMAND 0 0 04/21 08:55:27 jTDS
55 0
56 sleeping reports_adm REPORTSDEVSI2 . JBOSS_Cluster_CRServer2011 AWAITING COMMAND 0 0 04/21
08:52:12 jTDS
56 0
57 sleeping reports_adm REPORTSDEVSI2 . JBOSS_Cluster_CRServer2011 AWAITING COMMAND 0 0 04/21
08:52:12 jTDS
57 0
58 sleeping reports_adm REPORTSDEVSI2 . JBOSS_Cluster_CRServer2011 AWAITING COMMAND 0 0 04/21
08:52:12 jTDS
58 0
59 sleeping NT AUTHORITY\SYSTEM SQLDEV2012 . msdb AWAITING COMMAND 124 242 04/10
06:59:59 SQLAgent - Generic Refresher 59 0
60 sleeping NT AUTHORITY\SYSTEM SQLDEV2012 . msdb AWAITING COMMAND 2790 1160 04/21
08:55:00 SQLAgent - Job invocation engine 60 0
61 sleeping reports_adm REPORTSDEVSI2 . JBOSS_Cluster_CRServer2011 AWAITING COMMAND 0 0 04/21
08:52:12 jTDS
61 0
62 sleeping reports_adm REPORTSDEVSI2 . JBOSS_Cluster_CRServer2011 AWAITING COMMAND 0 0 04/21
08:52:12 jTDS
62 0
63 sleeping reports_adm REPORTSDEVSI2 . JBOSS_Cluster_CRServer2011 AWAITING COMMAND 0 0 04/21
08:52:12 jTDS
63 0
64 sleeping reports_adm REPORTSDEVSI2 . JBOSS_Cluster_CRServer2011 AWAITING COMMAND 0 0 04/21
08:52:12 jTDS
64 0
65 sleeping reports_adm REPORTSDEVSI2 . JBOSS_Cluster_CRServer2011 AWAITING COMMAND 0 0 04/21
08:52:12 jTDS
65 0
66 sleeping edit_user INFADEVFS2 . dsa AWAITING COMMAND 0 0 04/21
03:16:56
66 0
67 sleeping reports_adm REPORTSDEVSI2 . JBOSS_Cluster_CRServer2011 AWAITING COMMAND 0 0 04/21
08:52:12 jTDS
67 0
68 sleeping edit_user DCMA10685 . dsa AWAITING COMMAND 0 0 04/21
08:56:47 jTDS
68 0
69 sleeping AMERICAS\CTXDEVDCSI1$ CTXDEVDCSI1 . CitrixXDFarm1 AWAITING COMMAND 0 0 04/21
08:58:49 Citrix:Configuration 69 0
70 sleeping rvanveen DCMA8460 . master AWAITING COMMAND 1794 7120 04/21
08:51:37 Microsoft SQL Server Management Studio 70 0
71 sleeping xsp_user XSPDEVSI2 . xspv5 AWAITING COMMAND 0 0 04/21
08:58:52 .Net SqlClient Data Provider 71 0
72 sleeping AMERICAS\CTXDEVDCSI1$ CTXDEVDCSI1 . CitrixXDFarm1 AWAITING COMMAND 0 0 04/21
08:56:01 Citrix:Monitor 72 0
73 sleeping AMERICAS\CTXDEVDCSI1$ CTXDEVDCSI1 . CitrixXDFarm1 AWAITING COMMAND 0 0 04/21
08:58:30 Citrix:Monitor 73 0
74 sleeping rvanveen DCMA8460 . master AWAITING COMMAND 16 2 04/21
08:53:37 Microsoft SQL Server Management Studio - Query 74 0
75 sleeping rvanveen DCMA8460 . loginaudit AWAITING COMMAND 0 22 04/21
08:50:29 Microsoft SQL Server Management Studio - Query 75 0
76 sleeping edit_user INFADEVFS2 . dsa AWAITING COMMAND 0 0 04/21
07:05:07
76 0
77 sleeping adm_jbossportal ASDEV1 . jbossportal AWAITING
COMMAND 0 0 04/21 08:40:27 jTDS
77 0
78 sleeping rvanveen DCMA8460 . master AWAITING COMMAND 110 542 04/21
08:46:17 Microsoft SQL Server Management Studio - Query 78 0
79 sleeping edit_user INFADEVFS2 . dsa AWAITING COMMAND 0 0 04/21
07:05:56
79 0
80 sleeping AMERICAS\CTXDEVDCSI1$ CTXDEVDCSI1 . CitrixXDFarm1 AWAITING COMMAND 0 0 04/21
08:58:54 Citrix:MachineCreation 80 0
81 sleeping edit_user INFADEVFS2 . dsa AWAITING COMMAND 0 0 04/21
08:08:29
81 0
82 sleeping edit_user INFADEVFS2 . dsa AWAITING COMMAND 0 0 04/21
07:02:13
82 0
83 sleeping edit_user INFADEVFS2 . dsa AWAITING COMMAND 0 0 04/21
07:02:15
83 0
84 sleeping AMERICAS\CTXDEVDCSI1$ CTXDEVDCSI1 . CitrixXDFarm1 AWAITING COMMAND 0 0 04/21
08:58:44 Citrix:Monitor 84 0
85 sleeping edit_user INFADEVFS2 . dsa AWAITING COMMAND 0 0 04/21
07:11:05
85 0
86 sleeping AMERICAS\CTXDEVDCSI1$ CTXDEVDCSI1 . CitrixXDFarm1 AWAITING COMMAND 0 0 04/21
08:58:53 Citrix:AdIdentity 86 0
87 sleeping DAIWA_USA\admsql SQLDEV2012 . master AWAITING COMMAND 15 2 04/21
08:56:20 Microsoft SQL Server Management Studio - Query 87 0
88 sleeping AMERICAS\CTXDEVDCSI1$ CTXDEVDCSI1 . CitrixXDFarm1 AWAITING COMMAND 0 0 04/21
08:58:36 Citrix:SiteServices 88 0
89 sleeping AMERICAS\CTXDEVDCSI1$ CTXDEVDCSI1 . CitrixXDFarm1 AWAITING COMMAND 0 0 04/21
08:58:42 Citrix:Host 89 0
90 sleeping AMERICAS\CTXDEVDCSI1$ CTXDEVDCSI1 . CitrixXDFarm1 AWAITING COMMAND 0 0 04/21
08:58:47 Citrix:ConfigurationLogging 90 0
91 RUNNABLE rvanveen DCMA8460 . master SELECT INTO
15 51 04/21 08:58:46 Microsoft SQL Server Management Studio - Query 91 0
92 sleeping rvanveen DCMA8460 . master AWAITING COMMAND 63 30 04/21
08:52:34 Microsoft SQL Server Management Studio - Query 92 0
94 sleeping AMERICAS\CTXDEVDCSI1$ CTXDEVDCSI1 . CitrixXDFarm1 AWAITING COMMAND 0 0 04/21
08:58:53 Citrix:DelegatedAdmin 94 0
95 sleeping DAIWA_USA\admsql SQLDEV2012 . loginaudit AWAITING COMMAND 173 27 04/21
08:56:10 Microsoft SQL Server Management Studio 95 0
96 sleeping xsp_user XSPDEVSI2 . xspv5 AWAITING COMMAND 0 0 04/21
08:58:33 .Net SqlClient Data Provider 96 0
97 sleeping edit_user INFADEVFS2 . dsa AWAITING COMMAND 0 0 04/21
08:10:07
97 0
98 sleeping edit_user INFADEVFS2 . dsa AWAITING COMMAND 31 38 04/21
08:00:31
98 0
99 sleeping edit_user INFADEVFS2 . dsa AWAITING COMMAND 0 0 04/21
08:10:12
99 0
100 sleeping edit_user INFADEVFS2 . dsa AWAITING COMMAND 0 282 04/21
08:10:14
100 0
101 sleeping DAIWA_USA\admsql SQLDEV2012 . master AWAITING COMMAND 0 8 04/21
08:56:50 Microsoft SQL Server Management Studio 101 0
102 sleeping DAIWA_USA\admsql SQLDEV2012 . master AWAITING COMMAND 31 0 04/21
08:54:57 Microsoft SQL Server Management Studio 102 0
103 sleeping read_user SQLDEV2012 . master AWAITING COMMAND 0 8 04/21
08:57:09 Microsoft SQL Server Management Studio 103 0
104 sleeping read_user SQLDEV2012 . dsa AWAITING COMMAND 0 0 04/21
08:57:09 Microsoft SQL Server Management Studio 104 0
105 sleeping rvanveen DCMA8460 . tempdb AWAITING COMMAND 8875 336 04/21
08:58:54 Microsoft SQL Server Management Studio 105 0
106 sleeping read_user SQLDEV2012 . master AWAITING COMMAND 16 0 04/21
08:57:39 Microsoft SQL Server Management Studio 106 0
107 sleeping AMERICAS\CTXDEVDCSI1$ CTXDEVDCSI1 . CitrixXDFarm1 AWAITING COMMAND 0 0 04/21
08:58:47 Citrix:EnvTest 107 0
108 sleeping edit_user INFADEVFS2 . dsa AWAITING COMMAND 2200 8514 04/21
08:00:31
108 0
109 sleeping edit_user INFADEVFS2 . dsa AWAITING COMMAND 0 0 04/21
07:05:56
109 0
110 sleeping rvanveen DCMA8460 . master AWAITING COMMAND 0 0 04/21
08:58:48 Microsoft SQL Server Management Studio 110 0
113 sleeping Citrix_adm CTXDEVSI1 . XenApp6 AWAITING COMMAND 284 777 04/21
08:51:33 Citrix IMA 113 0
119 sleeping AMERICAS\CTXDEVDCSI1$ CTXDEVDCSI1 . CitrixXDFarm1 AWAITING COMMAND 0 0 04/21
08:58:42 Citrix:ConfigurationLoggingData 119 0
120 sleeping AMERICAS\CTXDEVDCSI1$ CTXDEVDCSI1 . CitrixXDFarm1 AWAITING COMMAND 0 0 04/21
08:58:26 Citrix:Storefront 120 0
125 sleeping edit_user INFADEVFS2 . dsa AWAITING COMMAND 0 0 04/16
13:55:16
125 0
126 sleeping edit_user INFADEVFS2 . dsa AWAITING COMMAND 16 0 04/16
11:25:30
126 0
131 sleeping echouliak DCMA10685 . master AWAITING COMMAND 139 8 04/14
15:26:55 Microsoft SQL Server Management Studio 131 0
135 sleeping echouliak DCMA10685 . dsa AWAITING COMMAND 0 0 04/14
15:24:52 Microsoft SQL Server Management Studio - Query 135 0
136 sleeping echouliak DCMA10685 . dsa AWAITING COMMAND 0 0 04/14
15:00:17 Microsoft SQL Server Management Studio - Query 136 0
140 sleeping edit_user INFADEVFS2 . dsa AWAITING COMMAND 0 0 04/21
07:05:56
140 0
145 sleeping edit_user INFADEVFS2 . dsa AWAITING COMMAND 0 0 04/21
07:05:56
145 0 -
Enable SQLNet server trace and DB traces
HI,
I need to Enable SQLNet server and client side network traces and DB traces. How can I do that . Here are my platform , OS etc
Database OS : Red Hat Enterprise Linux 5.7
Database Version : 11.2.0.2 Enterprise Manager
I have Oracle Wblogic Server 10.3.3 running on a different RHEL 5.7 Linux box.
ThanksHi,
I have a specific problem. The problem is , I have created a logon trigger , that checks the user trying to create a session and it makes the session case insensitive. Below is the trigger content. Now this trigger works fine , but once in a while it fails . That means all the queries that are being issued from the application deployed in the weblogic server fails if the search parameter case is not proper . So for example if the query fired is SELECT name FROM Personnel WHERE first_name like 'j', it fails, but when the user puts "J" ( upper case J) , then the search result returns the data. ANd its very random. The application uses jdbc thin driver. Also the connections made through TOAD also becomes case sensitive randomly. So is the effort to find out why is the trigger failing and how to fix it . This is driving the user as well as the developer crazy. Oh By the way we use only one user "SA" to connect to the DB .
Thanks for all your help.
Here is the trigger script:
CREATE OR REPLACE TRIGGER SYSTEM.SET_NLS_ONLOGON
AFTER LOGON
ON DATABASE
DECLARE
cmmd1 VARCHAR2 (100);
cmmd2 VARCHAR2 (100);
cmmd3 VARCHAR2 (100);
BEGIN
cmmd1 := 'ALTER SESSION SET NLS_SORT=BINARY_CI';
cmmd2 := 'ALTER SESSION SET NLS_COMP=LINGUISTIC';
cmmd3 := 'alter session set NLS_TIMESTAMP_FORMAT = ''YYYY-MM-DD HH24:MI:SS.FF''';
IF (USER IN ('SA'))
THEN
EXECUTE IMMEDIATE cmmd1;
EXECUTE IMMEDIATE cmmd2;
EXECUTE IMMEDIATE cmmd3;
END IF;
END SET_NLS_ONLOGON; -
Hi Expert,
I am using below code for disabling user for from access through Management Studio:-
SET ANSI_NULLS ON
GO
SET QUOTED_IDENTIFIER ON
GO
CREATE TRIGGER [blocker]
ON ALL SERVER
FOR LOGON
AS
BEGIN
if app_name() = 'Microsoft SQL Server Management Studio' and (original_login() = 'Test' or original_login() = 'Test1' or originial_login = 'Test3')
Begin
rollback transaction
END
End
GO
SET ANSI_NULLS OFF
GO
SET QUOTED_IDENTIFIER OFF
GO
DISABLE TRIGGER [blocker] ON ALL SERVER
GO
Same LoginID is used with other applications but I want to revoke access through SQL
After enable it i see performance impact on my server.so please tell me where am i doing wrong.
ThanksTo start with, that trigger is not going to stop anyone from logging in from SSMS. The application name for a query window is "Microsoft SQL Server Management Studio - Query", or more precisely that is the default. The user can freely set any name
he wishes on the tab Additional Connection Parameters, which you find through the option button. And why only prevent SSMS? What if they use SQLCMD? Old Query Analyzer? Excel?
If you want users to only connect through the application, this requires some work with the application design.
As for your question, without knowing anything about your system and not knowing what
performance impact on my server means in more detail, it is not entirely easy to assess your question. But if your application frequently runs queries and uses the connect-run query-disconnect (but leave in pool) pattern which is the norm, I can see
that the logon trigger can hurt.
Erland Sommarskog, SQL Server MVP, [email protected] -
Insufficient privileges using execute immediate in after logon trigger
I have an after logon trigger that executes a package/procedure in the schema it was created in.
One of the procedures runs the following:
EXECUTE IMMEDIATE 'AUDIT INSERT TABLE, UPDATE TABLE, DELETE TABLE, EXECUTE PROCEDURE BY ' || USER;
The procedure is throwing an insufficient privileges error when executing this.
However - the schema owner has audit any and audit system privileges and - the statement works fine independently.
When I login as another user this issue arises. The package/procedure are created with definers rights... So - i'm not sure why this is happenening.
Any help is appreciated.privileges acquired via ROLE do NOT apply within named PL/SQL procedures.
SQL> SET ROLE NONE
SQL> --issue AUDIT again now -
Exporting LOGON trigger with per schema filtering
I am using the datapump on 10.2g (on linux) to export three schemas. I am using the "SCHEMA" option in the dbms_datapump.open() procedure and then using the metadata_filter with the SCHEMA_EXPR option to limit down to my three schema. I also do some data filtering after that. Works great, except...
I found that we have one LOGON trigger which is NOT getting exported. The trigger IS owned by one of the schemas i am exporting. But, I think that because this is a "system event trigger", rather than a table based trigger, it will not export using the SCHEMA export mode. True ?
I tried switching to the FULL export mode, but then I can not find a way to limit the export to the three schemas.
All the exporting/importing is being done as system, so I don't think this is a priveledge issue.
Ideas? How to datapump specific schemas and also get the system event triggers owned by those schemas ?
Thanks very much for your help.
Bill ClerySure. Here is the trigger that is NOT exporting as part of the Schema export. We have a Schema called ReportView. In that schema are many views, one table, one package, and one trigger (below). Everything except the trigger is getting exported and then imported.
CREATE OR REPLACE TRIGGER reportview.startsess AFTER LOGON ON reportview.SCHEMA
BEGIN
reportview.reportapi.AutoLoadPIT();
END startsess;
The initiation of the export was done like this
PumpHandle := dbms_datapump.open('EXPORT','SCHEMA',NULL, JobName,'LATEST');
dbms_datapump.set_parallel(PumpHandle, 1);
dbms_datapump.metadata_filter(PumpHandle, 'SCHEMA_EXPR', 'IN (''ERIKSYSCORE'',''RBSAPPCORE'',''REPORTVIEW'')');
dbms_datapump.add_file(...)
dbms_datapump.data_filter(...)
dbms_datapump.data_filter(...)
dbms_datapump.start_job(PumpHandle);
dbms_datapump.detach(PumpHandle);
I tried swtiching to the "FULL" method and using the NAME_EXPR to filter down to the same schemas, but could not get this working.
PumpHandle := dbms_datapump.open('EXPORT','FULL',NULL, JobName,'LATEST');
dbms_datapump.set_parallel(PumpHandle, 1);
dbms_datapump.metadata_filter(PumpHandle, 'NAME_EXPR', ???? ); -
Hi,
I've a view and the view is be reading by an external program.
How can i see how and how long do they communicate ?
Thanks in advance.
With best regards
NicoleHi:
If you have a testing environment (that is definitely a must have) and can modify sources the simplest way to activate trace is add a 'alter session set sql_trace=true' at the beginning of the application, then run it, and then evaluate results.
Using a logon trigger for the user the application is connecting to is another way to accomplish the same, useful when the application cannot be modified. This is an example of the same:
CREATE TRIGGER
schema_owner.logon_tg AFTER LOGON ON schema_owner.SCHEMA
BEGIN
EXECUTE IMMEDIATE 'alter session set sql_trace=true';
END;
This will produce a trace file containing all of the statements executed by the session:
Trace files go to USER_DUMP_DEST, and need to be parsed with TKPROF in order to produce readable output.
Also, check to have timed_statistics=true, so it will report timing in the trace files.
Try to produce trace files, and post if you need assistance in interpreting results.
ciao
Andrea -
Closing DBA session in AFTER LOGON trigger
Hello *,
this is my first question here and my first piece of code in oracle so please don't laugh ;-)
I'm trying to create an AFTER LOGON trigger which disconnects a user if he/she tries to log in from an incorrect host.
What should happen?
User tries to connect.
If he/she is permitted, a record is added to a table.
If not, a record is added to another table and the user is disconnected using RAISE_APPLICATION_ERROR().
After a number of issues I've got it working, except ... I have the feeling that RAISE_APPLICATION_ERROR() doesn't effect users with DBA privileges.
Finally, I'm testing it with one ordinary user - DEF.
The main idea is to disallow connections from user ABC which has DBA privileges.
Tests using DEF are successful but when ABC tries to log in from an incorrect host, a record is added in pcbaudit_failed_logins but the user is not disconnected.
The database is 9.2.0.8.0 and I'm prepared to post RDA report if it is required.
Thank you for your help in advance - I hope I was kind enough :P
Here's the code for the trigger:
DROP TABLE pcbaudit_users;
CREATE TABLE pcbaudit_users (username VARCHAR2(32) NOT NULL, host VARCHAR2(64) NOT NULL);
CREATE INDEX idx_pcbaudit_users_username ON pcbaudit_users(username);
CREATE INDEX idx_pcbaudit_users_host ON pcbaudit_users(host);
DROP TABLE pcbaudit_logins;
CREATE TABLE pcbaudit_logins (username VARCHAR2(32), ip_address VARCHAR2(15), host VARCHAR2(64), ts DATE);
DROP TABLE pcbaudit_failed_logins;
CREATE TABLE pcbaudit_failed_logins (username VARCHAR2(32), ip_address VARCHAR2(15), host VARCHAR2(64), ts DATE);
CREATE OR REPLACE PUBLIC SYNONYM pcbaudit_users FOR sys.pcbaudit_users;
CREATE OR REPLACE PUBLIC SYNONYM pcbaudit_logins FOR sys.pcbaudit_logins;
CREATE OR REPLACE PUBLIC SYNONYM pcbaudit_failed_logins FOR sys.pcbaudit_failed_logins;
GRANT SELECT ON sys.pcbaudit_users TO public;
GRANT INSERT ON sys.pcbaudit_logins TO public;
GRANT INSERT ON sys.pcbaudit_failed_logins TO public;
INSERT INTO pcbaudit_users VALUES ('SYS', '%');
INSERT INTO pcbaudit_users VALUES ('SYSTEM', '%');
INSERT INTO pcbaudit_users VALUES ('ABC', '%');
INSERT INTO pcbaudit_users VALUES ('DEF', '%');
COMMIT;
CREATE OR REPLACE
TRIGGER logon_pcbaudit_trigger AFTER LOGON ON DATABASE
DECLARE
v_username VARCHAR2(32); /* variable that will hold current username */
v_host VARCHAR2(4000); /* variable that will hold current host */
v_allowed NUMBER(1) := 0;
PRAGMA AUTONOMOUS_TRANSACTION;
BEGIN
SELECT UPPER(USER), /* current user */
UPPER(SYS_CONTEXT('USERENV', 'HOST')) /* current user host */
INTO v_username,
v_host
FROM dual;
/* debug */
-- DBMS_OUTPUT.PUT_LINE(v_username || '@' || v_host);
SELECT 1
INTO v_allowed
FROM pcbaudit_users
WHERE UPPER(username) = v_username
AND (
UPPER(REPLACE(v_host, CHR(0), '')) LIKE UPPER(host) ESCAPE '!' /* fuck that shit! Something appends CHR(0) to its host... */
OR
v_host IS NULL /* fuck that shit! Some hosts are NULLs! */
/* write log (user has logged in!) */
INSERT
INTO pcbaudit_logins
(username, ip_address, host, ts)
VALUES
(v_username, SYS_CONTEXT('USERENV', 'IP_ADDRESS'), v_host, SYSDATE);
COMMIT;
EXCEPTION
WHEN NO_DATA_FOUND THEN /* occurs when no matches were found; i.e. current username is not permitted to login from the current host */
/* log the failed attempt */
INSERT
INTO pcbaudit_failed_logins
(username, ip_address, host, ts)
VALUES
(v_username, SYS_CONTEXT('USERENV', 'IP_ADDRESS'), v_host, SYSDATE);
COMMIT;
/* disconnect user */
RAISE_APPLICATION_ERROR(-20001, v_username || '@' || v_host || ' is not allowed to connect.');
WHEN OTHERS THEN
NULL; /* in this case, NULL is better than an error - if an error occurs, user will not be able to login. */
END;Thank you for your reply!
The situation is quite complicated.
I am aware that a user with DBA privileges can drop the trigger, modify it, etc.
There's an application on top of it and (i don't know why) it requires dba privileges. The point is, there are developers with access to the production database and my task is to stop them from logging in with this username.
Since I'm creating a trigger, I've obviously have no other choice. I can't change the user's password because of number of reasons, I can't deny developers' IP addresses using sqlnet.ora because they need read-only access and so on.
I realize that this is not the way that things are being done (development cycle), but I have no other choice.
So, is there any other way? -
Hi,
I'm a beginner on the Oracle technology and I'm trying add a step on my logon trigger that avoids that the same user connects twice to the database using PL/SQL Developer.
Here what I'm doing:
VUSER := UPPER(SYS_CONTEXT('USERENV', 'SESSION_USER'))
VPROGRAM := UPPER(SYS_CONTEXT('USERENV', 'MODULE'))
SELECT COUNT(*) INTO N_SESSION
FROM V$SESSION
WHERE USERNAME = UPPER(SYS_CONTEXT('USERENV', 'SESSION_USER'));
IF VUSER NOT IN ('SYS','SYSTEM') AND N_SESSION >= 2 AND VPROGRAM LIKE 'PLSQLDEV%' THEN
RAISE_APPLICATION_ERROR(-20003,
'Access to database ' ||
UPPER(SYS_CONTEXT('USERENV', 'DB_NAME')) ||
' denied for this application');
END IF;
For some reason, it's not working.
Do you guys know what I should do?
ThanksThe trigger works fine in principle:
CREATE OR REPLACE TRIGGER after_logon_trg
AFTER LOGON
ON DATABASE
DECLARE
n_session INTEGER;
BEGIN
SELECT COUNT ( * )
INTO n_session
FROM v$session
WHERE username = UPPER (SYS_CONTEXT (
'USERENV',
'SESSION_USER'
IF UPPER (SYS_CONTEXT (
'USERENV',
'SESSION_USER'
)) NOT IN ('SYS', 'SYSTEM')
AND n_session >= 2
AND UPPER (SYS_CONTEXT (
'USERENV',
'MODULE'
)) LIKE
'SQL%'
THEN
raise_application_error (
-20003,
'Access to database '
|| UPPER (SYS_CONTEXT (
'USERENV',
'DB_NAME'
|| ' denied for this application'
END IF;
END after_logon_trg;
Session 1:
SQL> connect scott/tiger@oracle
Connect durchgeführt.
Session 2:
C:\>sqlplus scott/tiger@oracle
SQL*Plus: Release 11.1.0.7.0 - Production on Fr Aug 28 19:05:25 2009
Copyright (c) 1982, 2008, Oracle. All rights reserved.
ERROR:
ORA-00604: Fehler auf rekursiver SQL-Ebene 1
ORA-20003: Access to database ORACLE denied for this application
ORA-06512: in Zeile 23But beware that for users with "ADMINISTER DATABASE TRIGGER" privilege the trigger will still allow the user to login ! -
Logon trigger to alter the session parameter
Hi,
I want to execute alter session set '_b_tree_bitmap_plans'=false;
for a user once he logs in.
I guess it is possible using logon trigger, pls let me know how to?
Thanks,
Kumar.Ensure that the usage of the statements or settings in the login files is necessary or correct before using it.
For all users, use glogin.sql. This is located in $ORACLE_HOME/sqlplus/admin
For each user, use[b] login.sql. This need to be created by the user from sqlplus using the default editor. e.g type ed login at the SQL prompt. This enables the file to be created at the correct home of the OS user(different between Unix and Windows). Note that it is per OS user and not per Oracle user. For instance, every user who connects to the Server as the OS user oracle will run the same login.sql.
If you enter statements that require logon (just like yours), you will get "Not Connected" error if you normally do sqlplus /nolog. But you will not get it is you connect directly be specifying the username directly or when prompted.
The scripts will be run at each logon (either by typing sqlplus from os command prompt or using connect command within sqlplus). -
Logon-Trigger, TOO_MANY_ROWS exception
Hi,
for a NLS check there is a need for a logon trigger which is implemented for half a year. It works fine but very seldom the following select throws a TOO_MANY_ROWS exception:
SELECT *
FROM v$session
WHERE audsid = USERENV('SESSIONID')
I can state that this happens only for a user who is connected to the database by a virtual machine. Don´t know how I can fix it ... How can I reduce the number of rows to a level that I only get one row ...?!
Any ideas or hints for me?
Thanks in advance,
MichaelHi,
following statement is the nls-check.
SELECT n.VALUE
FROM nls_session_parameters n
WHERE n.parameter = 'NLS_TERRITORY'
If another Territory occurs than supposed I will write a mail to get to know on which seat and for which user I have to change the setting.
For the mail I need to know which user, session, machine, etc. ..
With regards,
Michael -
10046 Trace NULL/SYSTEM sessions
Hello,
I am running a 10046 level 12 trace on a session that runs an encrypted package. This session turns out to be a SYSTEM session. After I get the trace I dont see any bind values. I can see the statement exec packageabc(:B1,:B2,:B3) in the trace, but no bind values below it. am I missing anything here. This is a 10.2.0.4 database on AIX 5.3 (with the 2010 psu patches.).
Thanks!Hi Hemant
It is running from the windows box and osuser is system. the following are the details from gv$session
ID SID SERIAL# OSUSER MACHINE USERNAME LOGON_TIME ELPSD SPID PROGRAM
1 2029 2570 SYSTEM AD\PDIISPI123 RUNCOPY 05-MAR-11 23:57 16 975274 RunCopySrv.exe and yes I have used the tkprof to format the trace file
Edited by: SMY on Mar 8, 2011 10:12 AM
Edited by: SMY on Mar 8, 2011 10:14 AM
Edited by: SMY on Mar 8, 2011 10:19 AM -
Account Lock vs. System Db trigger to secure log-ons
Hi ,
In which circumstances would you prefer the use of a system database trigger which would prevent a user to logon in the db schema 'SCOTT' for example.... instead of locking this account......????
Thanks...
SimThe only scenario that comes to mind is that you don't want a blanket ban on connections to this user but need to put conditions on connections.
Say you had a complex set of business rules dictating when the user SCOTT can connect such as connections are allowed only between 3pm and 7pm, only from hosts on a certain subnet, only three users at a time and only if a certain table has a certain number of rows or value in a row. Simply locking the account isn't going to meet those rules and a trigger would.
Saying that, you'd want to look carefully at your business rules to be sure that you aren't duplicating with a trigger what could already be achieved with Resource Manager and Profiles. -
Error while performing Risk Analysis at user level for a cross system user
Dear All,
I am getting the below error, while performing the risk analysis at user level for a cross system (Oracle) user.
The error is as follows:
"ResourceException in method ConnectionFactoryImpl.getConnection(): com.sap.engine.services.connector.exceptions.BaseResourceException: Cannot get connection for 120 seconds. Possible reasons: 1) Connections are cached within SystemThread(can be any server service or any code invoked within SystemThread in the SAP J2EE Engine), 2) The pool size of adapter "SAPJ2EDB" is not enough according to the current load of the system or 3) The specified time to wait for connection is not enough according to the pool size and current load of the system. In case 1) the solution is to check for cached connections using the Connector Service list-conns command, in case 2) to increase the size of the pool and in case 3) to increase the time to wait for connection property. In case of application thread, there is an automatic mechanism which detects unclosed connections and unfinished transactions.RC:1
Can anyone please help.
Regards,
GurugobindaHi..
Check the note # SAP Note 1121978
SAP Note 1121978 - Recommended settings to improve peformance risk analysis.
Check for the following...
CONFIGTOOL>SERVER>MANAGERS>THREADMANAGER
ChangeThreadCountStep =50
InitialThreadCount= 100
MaxThreadCount =200
MinThreadCount =50
Regards
Gangadhar
Maybe you are looking for
-
HT1341 How do I print an e-mail attachment ?
Good Evening Everyone. My question is this - Can anyone tell me how to print an attachment on an e-mail ? My system seems to have recognised my printer, but the problem is that I can't seem to find a 'Print' icon anywhere ! Thanks in anticipation.
-
Showing/Hiding certain fields based on Radioset selection
Hello all, I'm like to know whether it is possible to Show/Hide certain fields using a RadioSet selection as it is done in Forms in ADF UIX. Kindly go through this post. Showing/Hiding certain fields based on Radio Group selection kindly help me out
-
Hi, I want to install oracle s/w for my production server. before installing oracle i want to set kernel parameters in /etc/sysctl.conf .i logined as root user but i couldn't able to fine sysctl.conf file on server.. Edited by: 920033 on Apr 12, 2012
-
Group messages coming in as HTML or Base 64
Hey all, This morning, I started receiving messages containing either HTML or Base64 code, along with a bunch of extra information. One such message (one that seemed focused on Base64) looks like this: --Nokia-mm-messageHandler-BoUnDaRy-=_-396604176
-
I upgraded to Windows 7 and just installed the newest version of iTunes. All of my music was backed up on another drive. When I started iTunes it imported all of my music, including the music I purchased. All of my music is available for use. Questio