I've just started to investigate bro here. I'd like to use it for real
time network monitoring, and an obvious (to me) question is: How quickly
is an event (say, a TCP session finishing the normal way) logged? How can
I control this?
I assume I might have to turn off stdio buffering to be able to see such
events right away. Are there other knobs to adjust?
Steinar Haug, Nethelp consulting, sthaug@nethelp.no