Correcting the "updated unknown" message when running a report in the Policy Server

book

Article ID: 7559

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) AXIOMATICS POLICY SERVER CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On

Issue/Introduction

When we run an Audit report (for Administrative operations by administrator) we see in the reports an "Updated Unknown" message for AgentInstanceCreate events. The following:

<Object Class="CA.SM::AgentInstance" Xid="CA.SM::[email protected]0-0167089d" CreatedDateTime="2015-08-10T15:36:59" ModifiedDateTime="2015-08-10T15:36:59" UpdatedBy="os:NT AUTHORITY/SYSTEM" UpdateMethod="LocalAPI" ExportType="Replace">

is getting updated by (UpdateMethod="LocalAPI") based on the heartbeat interval and not an Administrative / Administrator operation to get recorded in the reports.

When Audit logs are configured to be stored in a text file, the following records for Agent Instance are written:

"5656-1446550425-3_1","03/Nov/2015::17:05:30 0530","CA.SM::[email protected]4-00033808","","Update","5656-1446550425-3"

"5656-1446550425-4_1","03/Nov/2015::17:36:24 0530","CA.SM::[email protected]8-030949f6","","Update","5656-1446550425-4"

But when configured to store the data directly into the ODBC database, there are no records with AgentInstance under dbo.smobjlog4 & dbo.smaccesslog4

Cause

As “AgentDiscovery” feature is enabled by default in the environment, the above agentinstance object related updates are logged in XPS-Audit events, which actually gets imported to Audit ‘smobjlog4’ table, to fetch store operation related reports.

As CA SSO's supplied “AdminOperationsByAdmin.rpt” file is not updated to understand the agent instance object category, the reports for AgentInstanceCreate action are showing as “unknown” and generating the messages.

Environment

Policy Server R12.52 CR00 build 142 on Linux 64 bitReport Server R12.52 CR00

Resolution

Defining category id ‘81’ in the rpt file as “AgentInstance” solves the issue. This is implemented in R12.52 SP1 CR06.