Keep Calm Learn SQL: Reading Transaction Log

Someone or a service deleted a record from a table. We will need to know when it was deleted and who deleted the record. I read every transaction log between a specific time to find out if there was a delete statement in transaction log. Transaction logs are located on E:\

Reading Transaction Log

Option 1

SELECT [Current LSN], [Transaction ID], [Transaction Name], [Operation], [Begin Time], [PartitionID], [TRANSACTION SID],LEFT ([Description], 40) AS [Description] FROM fn_dump_dblog (NULL, NULL, N'DISK', 1, N'E:\TEST.trn',

DEFAULT, DEFAULT, DEFAULT, DEFAULT, DEFAULT, DEFAULT, DEFAULT, DEFAULT, DEFAULT, DEFAULT, DEFAULT, DEFAULT, DEFAULT, DEFAULT,

DEFAULT, DEFAULT, DEFAULT, DEFAULT, DEFAULT, DEFAULT, DEFAULT)

WHERE Operation = 'LOP_DELETE_ROWS'

Option 2

In the script below, we passed table name and operation

WITH CTE

(SELECT [Transaction ID], count(*) as DeletedRows

FROM fn_dump_dblog (NULL, NULL, N'DISK', 1, N'E:\TEST.trn',

DEFAULT, DEFAULT, DEFAULT, DEFAULT, DEFAULT, DEFAULT, DEFAULT, DEFAULT, DEFAULT, DEFAULT, DEFAULT, DEFAULT, DEFAULT, DEFAULT,

DEFAULT, DEFAULT, DEFAULT, DEFAULT, DEFAULT, DEFAULT, DEFAULT)

WHERE Operation = ('LOP_DELETE_ROWS')

AND [PartitionId] = (SELECT sp.partition_id

FROM sys.objects so

INNER JOIN sys.partitions sp on so.object_id = sp.object_id

WHERE name = 'TESTTABLE')

GROUP BY [Transaction ID]

)

SELECT [Current LSN], a.[Transaction ID], [Transaction Name], [Operation], [Begin Time], SUSER_SNAME([TRANSACTION SID]) as LoginName, DeletedRows

FROM fn_dump_dblog (NULL, NULL, N'DISK', 1, N'E:\TEST.trn',

DEFAULT, DEFAULT, DEFAULT, DEFAULT, DEFAULT, DEFAULT, DEFAULT, DEFAULT, DEFAULT, DEFAULT, DEFAULT, DEFAULT, DEFAULT, DEFAULT,

DEFAULT, DEFAULT, DEFAULT, DEFAULT, DEFAULT, DEFAULT, DEFAULT) as a

INNER JOIN cte on a.[Transaction ID] = cte.[Transaction ID]

WHERE Operation = ('LOP_BEGIN_XACT')

Option 3

If we know specific transaction SID, we can find who ran the delete.

SELECT

[Current LSN],

[Operation],

[Transaction ID],

[Begin Time],

[End Time],

[Transaction Name],

LEFT ([Description], 40) AS [Description],

SUSER_SNAME ([Transaction SID]) AS [WhoDidIt?],

[PartitionID],

[Num Elements] ,

[RowLog Contents 0],

[RowLog Contents 1],

[RowLog Contents 2],

[RowLog Contents 3]

FROM

fn_dump_dblog (NULL, NULL, N'DISK', 1, N'E:\TEST.trn',

DEFAULT, DEFAULT, DEFAULT, DEFAULT, DEFAULT, DEFAULT, DEFAULT, DEFAULT, DEFAULT, DEFAULT, DEFAULT, DEFAULT, DEFAULT, DEFAULT,

DEFAULT, DEFAULT, DEFAULT, DEFAULT, DEFAULT, DEFAULT, DEFAULT)

WHERE [Transaction ID] in('0000:0084ff66','0000:0084ff66','0000:0085002c')

I used above three queries to find out who deleted a record and delete time.

Thank you for reading.

Keep Calm Learn SQL

Tuesday, November 15, 2016

Reading Transaction Log

No comments:

Post a Comment

How to add a Database to AlwaysOn Availability Group with four different options