When we run an Audit report (for Administrative operations by administrator) we see in the reports an "Updated Unknown" message for AgentInstanceCreate events. The following:

<Object Class="CA.SM::AgentInstance" Xid="CA.SM::[email protected]0-0167089d" CreatedDateTime="2015-08-10T15:36:59" ModifiedDateTime="2015-08-10T15:36:59" UpdatedBy="os:NT AUTHORITY/SYSTEM" UpdateMethod="LocalAPI" ExportType="Replace">

is getting updated by (UpdateMethod="LocalAPI") based on the heartbeat interval and not an Administrative / Administrator operation to get recorded in the reports.

When Audit logs are configured to be stored in a text file, the following records for Agent Instance are written:

"5656-1446550425-3_1","03/Nov/2015::17:05:30 0530","CA.SM::[email protected]4-00033808","","Update","5656-1446550425-3"

"5656-1446550425-4_1","03/Nov/2015::17:36:24 0530","CA.SM::[email protected]8-030949f6","","Update","5656-1446550425-4"

But when configured to store the data directly into the ODBC database, there are no records with AgentInstance under dbo.smobjlog4 & dbo.smaccesslog4

As “AgentDiscovery” feature is enabled by default in the environment, the above agentinstance object related updates are logged in XPS-Audit events, which actually gets imported to Audit ‘smobjlog4’ table, to fetch store operation related reports.

As CA SSO's supplied “AdminOperationsByAdmin.rpt” file is not updated to understand the agent instance object category, the reports for AgentInstanceCreate action are showing as “unknown” and generating the messages.

Defining category id ‘81’ in the rpt file as “AgentInstance” solves the issue. This is implemented in R12.52 SP1 CR06.