Cisco LMS - \rme\archive\file.xml - does it ever change?
We've configured our Cisco LMS 4.0 in enVision and are collecting switch and router logs via the 'syslog.log' file and NIC SFTP agent/Filereader setup. The configuration also includes a file in the LMS \files\rme\archive\ directory which is created by running a VBScript included in the setup doc.
When we set the integration up the file was created, "2011-05-13-05-19-57-changeaudit.xml", but it hasn't changed since. What should we expect to see in the file? Is the same file used for any changes going forward, or will a new file be generated periodically?
Due to another issue we had to modify our sftpagent.conf to specifically monitor that file (instead of the directory\*.xml), so if a new file is created at some point it's going to break our collection.
There is a limitaion in the Cisco changeaudit command which only allows getting audits for 1 days time. it is suggested to run the command daily and sftp the file over. Due to this limitation which is no where near real time collection and is a manual effort to import RSA recently added support for ODBC collection of change audit informtion from Cisco LMS. I highly suggest updating to the latest ESU (May ESU) and move to ODBC method.
Thanks for the clarification, the docs dont' say anything about needing to run the ChangeAudit script daily. That's a huge oversight. It was also never mentioned by Support.