Correcting the "updated unknown" message when running a report in the Policy Server

Document ID : KB000007559
Last Modified Date : 14/02/2018
Show Technical Document Details
Issue:

When we run an Audit report (for Administrative operations by administrator) we see in the reports an "Updated Unknown" message for AgentInstanceCreate events. The following:

<Object Class="CA.SM::AgentInstance" Xid="CA.SM::AgentInstance@000080fe00000000ff565002c2449bfe-0a98-55c877c3-07c0-0167089d" CreatedDateTime="2015-08-10T15:36:59" ModifiedDateTime="2015-08-10T15:36:59" UpdatedBy="os:NT AUTHORITY/SYSTEM" UpdateMethod="LocalAPI" ExportType="Replace">

is getting updated by (UpdateMethod="LocalAPI") based on the heartbeat interval and not an Administrative / Administrator operation to get recorded in the reports.

When Audit logs are configured to be stored in a text file, the following records for Agent Instance are written:

"5656-1446550425-3_1","03/Nov/2015::17:05:30 0530","CA.SM::AgentInstance@000080fe00000000ff56500200069bfe-0ef8-553762a7-0b04-00033808","","Update","5656-1446550425-3"

"5656-1446550425-4_1","03/Nov/2015::17:36:24 0530","CA.SM::AgentInstance@000080fe00000000ff565002340e9bfe-0cac-5540f6ab-0a38-030949f6","","Update","5656-1446550425-4"

But when configured to store the data directly into the ODBC database, there are no records with AgentInstance under dbo.smobjlog4 & dbo.smaccesslog4

Environment:
Policy Server R12.52 CR00 build 142 on Linux 64 bitReport Server R12.52 CR00
Cause:

As “AgentDiscovery” feature is enabled by default in the environment, the above agentinstance object related updates are logged in XPS-Audit events, which actually gets imported to Audit ‘smobjlog4’ table, to fetch store operation related reports.

As CA SSO's supplied “AdminOperationsByAdmin.rpt” file is not updated to understand the agent instance object category, the reports for AgentInstanceCreate action are showing as “unknown” and generating the messages.

Resolution:

Defining category id ‘81’ in the rpt file as “AgentInstance” solves the issue. This is implemented in R12.52 SP1 CR06.