>> Does LMS go get syslog messages periodically or does the device send a copy to LMS whenever it generates a new message?
The latter.
If for some reason, the devices cannot log directly to LMS, there're a few options: 1) Devices log to a central syslog server, which in turn exposes the syslogs to LMS' Syslog Analyzer, either via the Cisco-supplied Remote Syslog Collector or some unsupported methods such as NFS mount, or 2) Install Syslog-ng on the central syslog server, relay the logs to LMS, as described in this whitepaper: http://www.cisco.com/en/US/prod/collateral/netmgtsw/ps6504/ps6528/ps2425/white_paper_c11-571038.html
>> What's the benefit of scheduling a report to run automatically? Is it saved somewhere that is easier/quicker to get to?
It's the usual benefits of automation. Scheduled syslog reports apparently write outputs to /var/adm/CSCOpx/files/rme/cri/archives/syslog/reports/output/[jobID_runID], on Solaris, for example. The structure inside is rather muddy. So it might be easier to have something like a VBscript to screen-scrape the LMS web GUI for the report outputs instead.
>> Can new syslog messages from devices be posted to an RSS feed?
That's a novel idea. Though obviously not from the devices directly, it most likely coud be done through some "syslog2rss" relay residing on the syslog server. I think the potential volumes of logs could be too much for RSS, unless careful filtering/deduplication takes place on the relay before posting to a feed.
