Sql-server – way to check which computer or IP used a particular script

logSecuritysql serversql-server-2008

As the Title suggest, is there a way to check what IP used a particular SQL Script?

The scenario is, there is a recreation script in a email and we hypothesize that somehow, that recreation script was used and the data inside the database was removed. We want to know which computer used the script. we know that when was the script was used. But somehow the user name we used is SA which can be used by other programmers as well (sorry for this).

Is there a script or a utility that can tell us the said information?

Sample of said script:

if  exists
            (
                select  *
                    from    sysobjects
                    where   id  =   object_id   (   N'dbo.DSTRNP'   )
                        and OBJECTPROPERTY  (   id, N'IsUserTable'  )   =   1
            )
    drop    table   dbo.DSTRNP
go

create  table   dbo.DSTRNP
    (
        TEST    char(12)    not null
            ,   constraint  pk_c_DSTRNP primary key clustered
            (
                TEST
            )
    )
go

Best Answer

You could try reading the default trace to view all Host Names for queries which performed an object DROP (since you mention a drop table). Default trace should contain log record about it.

SCRIPT:

This script reads events from the default trace, if it is enabled.
Then it displays events for when any object changes occured (CREATE, DROP, ALTER).

USE tempdb
GO

DECLARE @DatabaseName nvarchar(200)
SET @DatabaseName = 'Your database' -- <<<======Specify the name of the database here, else comment this line to get details of databases

DECLARE @enable int
SELECT top 1 @enable = convert(int,value_in_use) FROM sys.configurations WHERE name = 'default trace enabled'

IF @enable = 1 --default trace is enabled
BEGIN

    DECLARE @d1 datetime;DECLARE @indx int ;
    DECLARE @curr_tracefilename varchar(500);
    DECLARE @base_tracefilename varchar(500);
    DECLARE @temp_trace TABLE (obj_name nvarchar(256) COLLATE database_default,database_name nvarchar(256) COLLATE database_default,start_time datetime,
                  event_class int,event_subclass int,object_type int,server_name nvarchar(256) COLLATE database_default,
                  application_name nvarchar(256) COLLATE database_default,ddl_operation nvarchar(40) COLLATE database_default,
                  SessionLoginName nvarchar(512) COLLATE database_default, LoginName nvarchar(512) COLLATE database_default, HostName nvarchar(512) COLLATE database_default);

    SELECT @curr_tracefilename = PATH FROM sys.traces WHERE is_default = 1 ; SET @curr_tracefilename = reverse(@curr_tracefilename)
    SELECT @indx  = PATINDEX('%\%', @curr_tracefilename); SET @curr_tracefilename = reverse(@curr_tracefilename)
    SET @base_tracefilename = LEFT( @curr_tracefilename,len(@curr_tracefilename) - @indx) + '\log.trc';

    INSERT INTO @temp_trace SELECT ObjectName,DatabaseName,StartTime,EventClass,EventSubClass,ObjectType,ServerName,ApplicationName,'temp'
        ,SessionLoginName,LoginName,HostName
    FROM ::fn_trace_gettable( @base_tracefilename, default ) WHERE EventClass in (46,47,164) AND EventSubclass = 0 AND DatabaseID <> 2 

    --------------------------------------------
    AND (DatabaseName = @DatabaseName OR @DatabaseName IS NULL)

    --------------------------------------------

    UPDATE @temp_trace SET ddl_operation = 'Object:Created' WHERE event_class = 46
    UPDATE @temp_trace SET ddl_operation = 'Object:Deleted' WHERE event_class = 47
    UPDATE @temp_trace SET ddl_operation = 'Object:Altered' WHERE event_class = 164

    SELECT @d1 = min(start_time) FROM @temp_trace

    SELECT start_time AS [Event Time]
        , server_name AS [Server Name]
        , database_name AS [Database Name]
        , HostName AS [Host Name]
        , application_name AS [Application Name]
        , SessionLoginName AS [Session Login Name]
        , LoginName AS [Login Name]
        , obj_name AS [Object Name]
        , ddl_operation AS [DDL Operation]
    FROM @temp_trace WHERE object_type not in (21587)
                  --AND LoginName = 'suspect login'
    ORDER BY start_time  DESC

END

Useful links:

MSSQLTips: Using the SQL Server Default Trace to Audit Events
brentozar: Default Trace Contents

Related Solutions

Sql-server – Trusted Constraints and NOT FOR REPLICATION

NOT FOR REPLICATION was indended for this scenario:

You have a Order table with a FK to Person table.
Order table is in publication no.1 and Person table is in publication no.2.
The Order pub and Person pub will happen at different times. Therefore if some new records were in the Order table were replicated down to the subscriber and the Person table was missing the person that new Order was for, you don't want the replication insert to fail at the subscriber. Instead, it can be trusted that the new Person record will come down at some point because the FK was used at the Publisher.
At the subscriber, if you insert an Order record, the FK will check that the Person record exists.

I would always stick with this policy and use NOT FOR REPLICATION only for that purpose of FK's relating to tables in different publications, and not for the purpose of query plan optimisation.

SQL Server Execution Plan – How to Explain This Execution Plan

The constant scans each produce a single in-memory row with no columns. The top compute scalar outputs a single row with 3 columns

Expr1005    Expr1006    Expr1004
----------- ----------- -----------
NULL        NULL        60

The bottom compute scalar outputs a single row with 3 columns

Expr1008    Expr1009    Expr1007
----------- ----------- -----------
NULL        1048576        10

The concatenation operator Unions these 2 rows together and outputs the 3 columns but they are now renamed

Expr1010    Expr1011    Expr1012
----------- ----------- -----------
NULL        NULL        60
NULL        1048576     10

The Expr1012 column is a set of flags used internally to define certain seek properties for the Storage Engine.

The next compute scalar along outputs 2 rows

Expr1010    Expr1011    Expr1012    Expr1013    Expr1014    Expr1015
----------- ----------- ----------- ----------- ----------- -----------
NULL        NULL        60          True        4           16            
NULL        1048576     10          False       0           0

The last three columns are defined as follows and are just used for sorting purposes prior to presenting to the Merge Interval Operator

[Expr1013] = Scalar Operator(((4)&[Expr1012]) = (4) AND NULL = [Expr1010]), 
[Expr1014] = Scalar Operator((4)&[Expr1012]), 
[Expr1015] = Scalar Operator((16)&[Expr1012])

Expr1014 and Expr1015 just test whether certain bits are on in the flag. Expr1013 appears to return a boolean column true if both the bit for 4 is on and Expr1010 is NULL.

From trying other comparison operators in the query I get these results

+----------+----------+----------+-------------+----+----+---+---+---+---+
| Operator | Expr1010 | Expr1011 | Flags (Dec) |       Flags (Bin)       |
|          |          |          |             | 32 | 16 | 8 | 4 | 2 | 1 |
+----------+----------+----------+-------------+----+----+---+---+---+---+
| >        | 1048576  | NULL     |           6 |  0 |  0 | 0 | 1 | 1 | 0 |
| >=       | 1048576  | NULL     |          22 |  0 |  1 | 0 | 1 | 1 | 0 |
| <=       | NULL     | 1048576  |          42 |  1 |  0 | 1 | 0 | 1 | 0 |
| <        | NULL     | 1048576  |          10 |  0 |  0 | 1 | 0 | 1 | 0 |
| =        | 1048576  | 1048576  |          62 |  1 |  1 | 1 | 1 | 1 | 0 |
| IS NULL  | NULL     | NULL     |          60 |  1 |  1 | 1 | 1 | 0 | 0 |
+----------+----------+----------+-------------+----+----+---+---+---+---+

From which I infer that Bit 4 means "Has start of range" (as opposed to being unbounded) and Bit 16 means the start of the range is inclusive.

This 6 column result set is emitted from the SORT operator sorted by Expr1013 DESC, Expr1014 ASC, Expr1010 ASC, Expr1015 DESC. Assuming True is represented by 1 and False by 0 the previously represented resultset is already in that order.

Based on my previous assumptions the net effect of this sort is to present the ranges to the merge interval in the following order

 ORDER BY 
          HasStartOfRangeAndItIsNullFirst,
          HasUnboundedStartOfRangeFirst,
          StartOfRange,
          StartOfRangeIsInclusiveFirst

The merge interval operator outputs 2 rows

Expr1010    Expr1011    Expr1012
----------- ----------- -----------
NULL        NULL        60
NULL        1048576     10

For each row emitted a range seek is performed

Seek Keys[1]: Start:[dbo].[t].c2 > Scalar Operator([Expr1010]), 
               End: [dbo].[t].c2 < Scalar Operator([Expr1011])

So it would appear as though two seeks are performed. One apparently > NULL AND < NULL and one > NULL AND < 1048576. However the flags that get passed in appear to modify this to IS NULL and < 1048576 respectively. Hopefully @sqlkiwi can clarify this and correct any inaccuracies!

If you change the query slightly to

select *
from t 
where 
      c2 > 1048576 
   or c2 = 0
;

Then the plan looks much simpler with an index seek with multiple seek predicates.

The plan shows Seek Keys

Start: c2 >= 0, End: c2 <= 0, 
Start: c2 > 1048576

The explanation for why this simpler plan cannot be used for the case in the OP is given by SQLKiwi in the comments to the earlier linked blog post.

An index seek with multiple predicates cannot mix different types of comparison predicate (ie. Is and Eq in the case in the OP). This is just a current limitation of the product (and is presumably the reason why the equality test in the last query c2 = 0 is implemented using >= and <= rather than just the straightforward equality seek you get for the query c2 = 0 OR c2 = 1048576.

Best Answer

Related Solutions

Sql-server – Trusted Constraints and NOT FOR REPLICATION

SQL Server Execution Plan – How to Explain This Execution Plan

Related Question