Hello, there is something I don' t understand with my log files. It is the " duration" value. As an example let' s consider this line: WTsyslog[2007-02-06 12:46:17 ip=Z.Z.Z.Z pri=5] id=firewall time=" 2007-02-06 12:46:18" fw=FGT400SomeSerial pri=5 SN=AnotherSerial duration=163 rule=83 policyid=83 proto=443/tcp service=443/tcp status=accept src=Y.Y.Y.Y srcname=Y.Y.Y.Y dst=X.X.X.X dstname=X.X.X.X src_int=port2 dst_int=port1 sent=1180 rcvd=1052 sent_pkt=21 rcvd_pkt=20 src_port=53092 dst_port=443 vpn=n/a tran_ip=W.W.W.W tran_port=443 dir_disp=org tran_disp=noop It has been extracted from a log file of a WebTrends syslog, and comes form a FG400 in WELF format. This connection was done on purpose over 5 seconds long, but the " duration" value is 163. As it is supposed to be the duration of the session in seconds, how can the log say it was more than two minutes long if I closed it after 5 seconds? Is this value specified in another time unit (cents of seconds)? The only stable value I saw in the log is for denied connections: duration=0. The rest is erratic but mostly over 130. Thanks in advance, Alex