slaughter

full code published

hello I am looking for DNS server example scripts is there any ? Searched in forum and have not found.

Application almost finished

Yes I found my mistake to few minutes ago to. Feeling so stupid. Thanks for replay! To make more simple compare in SQL I reformatted event log date line in your given import funcion For $i = 0 To (UBound($captures) / 4) - 1 $reformated_time = StringSplit($captures[4 * $i], "T") $reformated_time = $reformated_time[1] & " " & StringLeft($reformated_time[2],8) $sql &= "('" & $reformated_time & "', '" & $captures[4 * $i + 1] & "', '" & $captures[4 * $i + 2] & "', '" & $captures[4 * $i + 3] & "'),"

jchd culd you help to sort out date isues, now wehn i truy to select event that ocured in last ~2 min SELECT ip, count(*) as 'count', status FROM ip_list WHERE date >= date('now','-1 minutes') GROUP BY ip ORDER by count DESC i get worng result where is the error in query or in database stucture And to help sort out this query for autoban auto_ban("SELECT ip, COUNT(*) as 'count' FROM ip_list WHERE date >= date('now','-"&$attempts_time&" minutes') AND count >= "&$attempts_count&" AND status!='Blocked' GROUP BY ip ORDER by count DESC") I get error that i cant use count in where statment, I tried to do select in select as in mysql but i guess sqlite does not support it.

fixed by static line now should be ok. Check updated script

Thanks for testing. may be my fault

Good notice abuot $wevtutil_query. It was used before to create initial scan and then read one hour events. So i have removed it. Thanks. And one more time thanks for cleared updated line.

If you servers is in internal LAN and none of public services that supports event log (RDP, SQL) are exposed you will have 0 entries. Thats individual thing and it does not have anything with server configuration. Some of servers are protected by firewall configuration, but some of my clients does not want to buy firewalls, and uses ISP supplied. So thus would be good solution in this cases.

Just now tested your code. And you know... IT IS ASS KICKING #RequireAdmin #include <GUIConstantsEx.au3> #include <Constants.au3> #include <Array.au3> #include <File.au3> #include <Array.au3> #include <MsgBoxConstants.au3> #include <SQLite.au3> #include <SQLite.dll.au3> #include <GuiListView.au3> #include <GuiImageList.au3> #include <WindowsConstants.au3> #include <ButtonConstants.au3> #include <ComboConstants.au3> #include <EditConstants.au3> #include <GUIConstantsEx.au3> #include <ListViewConstants.au3> #include <ProgressConstants.au3> #include <StaticConstants.au3> #include <TabConstants.au3> #include <WindowsConstants.au3> #include <Date.au3> Global $iMemo _Main() Func _Main() Local $hEventLog, $aEvent Global $SQLite_db,$hListView,$hListView2,$GUI,$wevtutil_query, $initial_event_count, $Label1, $Progress1, $sql_qry, $minutes_in_ban_list $GUI = GUICreate("Smart Windows firewall control", 621, 436, 450, 295, BitOR($GUI_SS_DEFAULT_GUI,$WS_MAXIMIZEBOX,$WS_SIZEBOX,$WS_THICKFRAME,$WS_TABSTOP)) $Tab1 = GUICtrlCreateTab(8, 8, 601, 417) GUICtrlSetResizing(-1, $GUI_DOCKLEFT+$GUI_DOCKRIGHT+$GUI_DOCKTOP+$GUI_DOCKBOTTOM+$GUI_DOCKWIDTH+$GUI_DOCKHEIGHT) $TabSheet1 = GUICtrlCreateTabItem("Log entrys") $iMemo = GUICtrlCreateEdit("", 16, 88, 585, 329) GUICtrlSetData(-1, "Edit1") $Progress1 = GUICtrlCreateProgress(16, 36, 582, 17) $Label1 = GUICtrlCreateLabel("Reading event log", 16, 61, 584, 17) $TabSheet2 = GUICtrlCreateTabItem("Blocked IP") $hListView2 = GUICtrlCreateListView("", 12, 41, 586, 350) _GUICtrlListView_SetExtendedListViewStyle($hListView2, BitOR($LVS_EX_GRIDLINES, $LVS_EX_FULLROWSELECT, $LVS_EX_SUBITEMIMAGES)) _GUICtrlListView_InsertColumn($hListView2, 0, "IP Address", 150) _GUICtrlListView_InsertColumn($hListView2, 1, "From", 130) _GUICtrlListView_InsertColumn($hListView2, 2, "To", 130) _GUICtrlListView_InsertColumn($hListView2, 3, "Status", 100) $Button1 = GUICtrlCreateButton("Unblock", 12, 393, 99, 25) $Checkbox1 = GUICtrlCreateCheckbox("Auto block", 204, 393, 73, 25) $atempts = GUICtrlCreateInput("5", 284, 393, 25, 21) $minutes = GUICtrlCreateInput("1", 380, 393, 41, 21) GUICtrlCreateLabel("attempts in", 316, 393, 55, 17, $SS_CENTERIMAGE) GUICtrlCreateLabel("min. For", 428, 393, 41, 17, $SS_CENTERIMAGE) $Button2 = GUICtrlCreateButton("White list IP", 116, 393, 75, 25) $Input1 = GUICtrlCreateInput("1", 476, 393, 41, 21) $Label3 = GUICtrlCreateLabel("day's.", 524, 393, 31, 17, $SS_CENTERIMAGE) $TabSheet3 = GUICtrlCreateTabItem("Statistics") $Combo1 = GUICtrlCreateCombo("Total failed login count", 12, 41, 505, 25, BitOR($CBS_DROPDOWN,$CBS_AUTOHSCROLL)) GUICtrlSetData(-1, "Failed logins in 1 min|Failed logins in 1 hour|Failed logins in 1 day|Failed logins in 1 month|Failed logins in 1 year|Failed logins all time|Failed username"&Chr(39)&"s in 1 day|Failed username"&Chr(39)&"s in 1 month|") $Button3 = GUICtrlCreateButton("Block", 12, 393, 75, 25) $Button4 = GUICtrlCreateButton("UnBlock", 92, 393, 75, 25) $Button6 = GUICtrlCreateButton("Geolocate", 92+80, 393, 75, 25) $hListView = GUICtrlCreateListView("", 12, 65, 586, 326) _GUICtrlListView_SetExtendedListViewStyle($hListView, BitOR($LVS_EX_GRIDLINES, $LVS_EX_FULLROWSELECT, $LVS_EX_SUBITEMIMAGES)) _GUICtrlListView_InsertColumn($hListView, 0, "IP Address", 150) _GUICtrlListView_InsertColumn($hListView, 1, "Count", 100) _GUICtrlListView_InsertColumn($hListView, 2, "Blocked", 100) _GUICtrlListView_InsertColumn($hListView, 3, "data", 100) $Button5 = GUICtrlCreateButton("Load", 520, 41, 79, 21) GUICtrlCreateTabItem("") GUISetState(@SW_SHOW) #EndRegion ### END Koda GUI section ### ; Create GUI ;~ $GUI = GUICreate("EventLog", 604, 604) ;~ $Progress1 = GUICtrlCreateProgress(8, 25, 590, 25) ;~ $Label1 = GUICtrlCreateLabel("Reading event log", 8, 8, 430, 17) ;~ $iMemo = GUICtrlCreateEdit("", 2, 360, 600, 242) ;~ $hListView = _GUICtrlListView_Create($GUI, "", 2, 75, 600, 280) ;~ _GUICtrlListView_InsertColumn($hListView, 1, "IP Address", 150) ;~ _GUICtrlListView_InsertColumn($hListView, 2, "Count", 50) ;~ $Button1 = GUICtrlCreateButton("Block", 2, 55, 75, 15) ;~ $Button2 = GUICtrlCreateButton("UnBlock", 80, 55, 75, 15) ;$Button3 = GUICtrlCreateButton("exit", 2, 55, 75, 15) GUICtrlSetFont($iMemo, 9, 400, 0, "Courier New") GUISetState() $initial_event_count = 10000 $update_event_count = 100 $minutes_in_ban_list = 2 _SQLite_Startup() MemoWrite("_SQLite_LibVersion=" & _SQLite_LibVersion() & @CRLF) GUICtrlSetData($Progress1, 1) $wevtutil_query = "*[System[band(Keywords,8010000000000000)]]" $db_name = @ScriptDir & "\SQLite_v4.db" If FileExists($db_name) Then $wevtutil_query = "*[System[band(Keywords,8010000000000000) and TimeCreated[timediff(@SystemTime) < 3600000]]]" MemoWrite("Opening existing database. "& $db_name) $SQLite_db = _SQLite_Open($db_name) $initial_event_count = $update_event_count Else $wevtutil_query = "*[System[band(Keywords,8010000000000000)]]" MemoWrite("Creating new database at: "& $db_name) $SQLite_db = _SQLite_Open($db_name) MemoWrite("Creating database structure.") _SQLite_Exec($SQLite_db, "CREATE TABLE ip_list (ID INTEGER PRIMARY KEY AUTOINCREMENT,log_id CHAR(150) UNIQUE, date CHAR(150), ip CHAR(150), user CHAR(150), status CHAR(150))") _SQLite_Exec($SQLite_db, "CREATE TABLE blocked_ip_list (ID INTEGER PRIMARY KEY AUTOINCREMENT,ip CHAR(150), date_from DATETIME, date_to DATETIME, status CHAR(150))") EndIf Update_database() AdlibRegister(sheduled_tasks, 1000*10) ;~ MemoWrite("IP address, failed authentication tires") ;~ display_resutls("SELECT ip, count(*) as 'Cnt' FROM ip_list GROUP BY ip;") ;~ MemoWrite("Username, failed authentication tires") ;~ display_resutls("SELECT user, count(*) as 'Cnt' FROM ip_list GROUP BY user;") $per_sec = @YEAR &"-"& @MON &"-"& @MDAY &"T"& @HOUR&":"& @MIN&":"& @SEC $per_min = @YEAR &"-"& @MON &"-"& @MDAY &"T"& @HOUR&":"& @MIN $per_hour = @YEAR &"-"& @MON &"-"& @MDAY &"T"& @HOUR $per_day = @YEAR &"-"& @MON &"-"& @MDAY ;~ MemoWrite("Login attempts: per sec") ;~ display_resutls("SELECT ip, count(*) as 'count' FROM ip_list WHERE date LIKE '"&$per_sec&"%' GROUP BY ip ORDER by count DESC;") ;~ MemoWrite("Login attempts: per min") ;~ display_resutls("SELECT ip, count(*) as 'count' FROM ip_list WHERE date LIKE '"&$per_min&"%' GROUP BY ip ORDER by count DESC;") ;~ MemoWrite("Login attempts: per hour") ;~ display_resutls("SELECT ip, count(*) as 'count' FROM ip_list WHERE date LIKE '"&$per_hour&"%' GROUP BY ip ORDER by count DESC;") ;~ MemoWrite("Login attempts: per day") ;~ display_resutls("SELECT ip, count(*) as 'count' FROM ip_list WHERE date LIKE '"&$per_day&"%' GROUP BY ip ORDER by count DESC;") display_resutls("SELECT ip, count(*) as 'count', status FROM ip_list GROUP BY ip ORDER by count DESC;") display_blocked_resutls("SELECT ip, date_from, date_to, status FROM blocked_ip_list ORDER by status") ; Loop until user exits While 1 Switch GUIGetMsg() Case $GUI_EVENT_CLOSE Exit Case $Button1 $iSelect = ControlListView($GUI, "", $hListView2, "GetSelected") $sSelect = ControlListView($GUI, "", $hListView2, "GetText", $iSelect) MemoWrite("Address: "&$sSelect& " is removed from firewal") block_ip_remove($sSelect) Case $Button3 $iSelect = ControlListView($GUI, "", $hListView, "GetSelected") $sSelect = ControlListView($GUI, "", $hListView, "GetText", $iSelect) MemoWrite("Address: "&$sSelect& " is added to firewal for blocking") block_ip_add($sSelect,'525600') ; block select ip for a year 365*24*60 Case $Button4 $iSelect = ControlListView($GUI, "", $hListView, "GetSelected") $sSelect = ControlListView($GUI, "", $hListView, "GetText", $iSelect) MemoWrite("Address: "&$sSelect& " is removed from firewal") block_ip_remove($sSelect) Case $Button5 $sComboRead = GUICtrlRead($Combo1) Case $Button6 $iSelect = ControlListView($GUI, "", $hListView, "GetSelected") $sSelect = ControlListView($GUI, "", $hListView, "GetText", $iSelect) _GeoLocate($sSelect) MemoWrite("Geolocated " & $sSelect) EndSwitch WEnd EndFunc ;==>_Main Func sheduled_tasks() Global $Checkbox1 display_resutls("SELECT ip, count(*) as 'count', status FROM ip_list GROUP BY ip ORDER by count DESC;") display_blocked_resutls("SELECT ip, date_from, date_to, status FROM blocked_ip_list ORDER by status") Update_database() if _IsChecked($Checkbox1) Then $attempts_time=GUICtrlRead($minutes) $attempts_count=GUICtrlRead($atempts) auto_ban("SELECT ip, COUNT(*) as 'count' FROM ip_list WHERE date >= date('now','-"&$attempts_time&" minutes') AND count >= "&$attempts_count&" AND status!='Blocked' GROUP BY ip ORDER by count DESC") auto_ban_remove("SELECT ip FROM blocked_ip_list WHERE date_to >= date('now') AND status='Blocked'") EndIf EndFunc Func block_ip_add($WhatIP, $minutes_in_ban_list = 60) RunWait(@ComSpec & ' /c '& "netsh advfirewall firewall add rule name=[logBlock" & $WhatIP & "] dir=in interface=any action=block remoteip=" & $WhatIP, "", @SW_HIDE) ;blocked_ip_list (ID ,ip, date_from, date_to, active) SQLite_QUERY("INSERT INTO blocked_ip_list VALUES (null, '"& $WhatIP &"', datetime('now'), datetime('now', '+"& $minutes_in_ban_list &" minutes'), 'Blocked');") SQLite_QUERY("UPDATE ip_list SET status='Blocked' WHERE ip='"& $WhatIP &"';") EndFunc Func block_ip_remove($WhatIP) RunWait(@ComSpec & ' /c '& "netsh advfirewall firewall delete rule name=[logBlock" & $WhatIP & "] dir=in", "", @SW_HIDE) SQLite_QUERY("UPDATE blocked_ip_list SET status='Unblocked' WHERE ip='"& $WhatIP &"' AND status='Blocked';") SQLite_QUERY("UPDATE ip_list SET status='Unblocked' WHERE ip='"& $WhatIP &"' AND status='Blocked';") EndFunc Func Update_database() Global $wevtutil_query, $initial_event_count, $Label1 GUICtrlSetData($Label1, "Reading event log from windows") MemoWrite("Generating event log from windows") $cmd = 'wevtutil qe Security "/q:'& $wevtutil_query &'" /c:'& $initial_event_count &' /rd:true /f:xml>C:\wevtutil.xml' $wevtutil_query = "*[System[band(Keywords,8010000000000000) and TimeCreated[timediff(@SystemTime) < 3600000]]]" ;after initail run dont read all log only 24 h ;~ MemoWrite($cmd) FileDelete ( "c:\wevtutil.xml" ) Local $foo = RunWait(@ComSpec & ' /c '& $cmd, @SystemDir, @SW_HIDE, $STDERR_CHILD + $STDOUT_CHILD) GUICtrlSetData($Label1, "Reading event log done.") MemoWrite("Generating event log done.") Global $Label1, $Progress1, $sql_qry If 0 Then MemoWrite("OLD MODE DATA UPDATE") MemoWrite("Reading event log.") Local $aArray = 0 If Not _FileReadToArray("C:\wevtutil.xml", $aArray,0) Then ;MsgBox($MB_SYSTEMMODAL, "", "There was an error reading the file. @error: " & @error) ; An error occurred reading the current script file. MemoWrite("!!Warning no events in last 24h, or cant generate event log file at all.") EndIf MemoWrite("Reading event log done.") If IsArray($aArray) Then MemoWrite("Phrasing event log.") $total_records = UBound($aArray) Local $IPArray[0][5] Local $sql_qry = "" For $vElement In $aArray $size = UBound($IPArray) + 1 ReDim $IPArray[$size][5] $ix = $size -1 $percent = Round(100 / $total_records * $size) GUICtrlSetData($Progress1, $percent) GUICtrlSetData($Label1, "Phrasing event log: "& $ix &"/" & $total_records) $date = "<TimeCreated SystemTime='(.*?)'/>" $array = StringRegExp($vElement, $date, 1) If IsArray($array) Then $IPArray[$ix][1] = $array[0] Else $IPArray[$ix][1] = "none" EndIf $EventID = "<EventRecordID>(.*?)</EventRecordID>" $array = StringRegExp($vElement, $EventID, 1) If IsArray($array) Then $IPArray[$ix][0] = $array[0] Else $IPArray[$ix][0] = "none" EndIf $network = "<Data Name='IpAddress'>(.*?)</Data>" $array = StringRegExp($vElement, $network, 1) If IsArray($array) Then $IPArray[$ix][2] = $array[0] Else $IPArray[$ix][2] = "none" EndIf $account = "<Data Name='TargetUserName'>(.*?)</Data>" $array = StringRegExp($vElement, $account, 1) If IsArray($array) Then ;_ArrayDisplay($array) $IPArray[$ix][3] = $array[0] Else $IPArray[$ix][3] = "none" EndIf $sql_qry = "INSERT OR IGNORE INTO ip_list VALUES (null, '"& $IPArray[$ix][0] &"', '"& $IPArray[$ix][1] &"', '"& $IPArray[$ix][2] &"', '"& $IPArray[$ix][3] &"', '');"& @CRLF & $sql_qry Next MemoWrite("Phrasing event log done.") MemoWrite("Inserting data to SQLite.") $sql_qry = "begin;" & @CRLF & $sql_qry & @CRLF & "commit;" If Not _SQLite_Exec($SQLite_db, $sql_qry) = $SQLITE_OK Then MsgBox($MB_SYSTEMMODAL, "SQLite Error", _SQLite_ErrMsg()) EndIf MemoWrite("Inserting data to SQLite done.") Else MemoWrite("No data fo phrasing and inserting to SQLite.") GUICtrlSetData($Progress1, 100) EndIf Else MemoWrite("NEW MODE DATA UPDATE") MemoWrite("Reading event log.") Local $rawdata = FileRead("c:\wevtutil.xml") ; ##### reading supplied file directly ! MemoWrite("Reading event log done.") MemoWrite("Phrasing event log.") Local $captures = StringRegExp($rawdata, "(?i)<TimeCreated SystemTime='(.*?)'/><EventRecordID>(.*?)</EventRecordID>.*?<Data Name='TargetUserName'>(.*?)</Data>.*?<Data Name='IpAddress'>(.*?)</Data>", 3) MemoWrite("Phrasing event log done.") MemoWrite("Inserting data to SQLite.") ;_ArrayDisplay($captures) If IsArray($captures) Then Local $sql If Not _SQLite_Exec($SQLite_db, "begin;") = $SQLITE_OK Then MsgBox($MB_SYSTEMMODAL, "SQLite Error", _SQLite_ErrMsg()) EndIf For $i = 0 To (UBound($captures) / 4) - 1 $sql &= "('" & $captures[4 * $i] & "', '" & $captures[4 * $i + 1] & "', '" & $captures[4 * $i + 2] & "', '" & $captures[4 * $i + 3] & "')," If Mod($i + 1, 500) = 0 Or $i = (UBound($captures) / 4) - 1 Then $sql = "INSERT OR IGNORE INTO ip_list (date, log_id, user, ip) VALUES " & StringTrimRight($sql, 1) If Not _SQLite_Exec($SQLite_db, $sql) = $SQLITE_OK Then MsgBox($MB_SYSTEMMODAL, "SQLite Error", _SQLite_ErrMsg()) EndIf $sql = "" EndIf Next If Not _SQLite_Exec($SQLite_db, "commit;") = $SQLITE_OK Then MsgBox($MB_SYSTEMMODAL, "SQLite Error", _SQLite_ErrMsg()) EndIf Else MemoWrite("No new event to read.") EndIf MemoWrite("Inserting data to SQLite done.") EndIf EndFunc Func display_resutls($sql) ;MemoWrite("Reading date from SQLite db.") Local $aResult, $iRows, $iColumns, $iRval Global $SQLite_db, $hListView $iRval = _SQLite_GetTable2d($SQLite_db, $sql, $aResult, $iRows, $iColumns) If $iRval = $SQLITE_OK Then _ArrayDelete($aResult, 0) _GUICtrlListView_DeleteAllItems($hListView) _GUICtrlListView_AddArray($hListView, $aResult) ;_ArrayDisplay($aResult, "Query Result") ;~ $iRows = UBound($aResult)-1 ;~ $iCols = UBound($aResult, 2)-1 ;~ For $i = 1 To $iRows ;~ $string = "" ;~ For $x = 0 To $iCols ;~ $string = $string & $aResult[$i][$x] & " " ;~ Next ;~ MemoWrite($string) ;~ Next Else MsgBox($MB_SYSTEMMODAL, "SQLite Error: " & $iRval, _SQLite_ErrMsg()) EndIf ;MemoWrite("Reading date from SQLite db done.") EndFunc Func display_blocked_resutls($sql) ;MemoWrite("Reading date from SQLite db.") Local $aResult, $iRows, $iColumns, $iRval Global $SQLite_db, $hListView2 $iRval = _SQLite_GetTable2d($SQLite_db, $sql, $aResult, $iRows, $iColumns) If $iRval = $SQLITE_OK Then _ArrayDelete($aResult, 0) _GUICtrlListView_DeleteAllItems($hListView2) _GUICtrlListView_AddArray($hListView2, $aResult) ;_ArrayDisplay($aResult, "Query Result") ;~ $iRows = UBound($aResult)-1 ;~ $iCols = UBound($aResult, 2)-1 ;~ For $i = 1 To $iRows ;~ $string = "" ;~ For $x = 0 To $iCols ;~ $string = $string & $aResult[$i][$x] & " " ;~ Next ;~ MemoWrite($string) ;~ Next Else MsgBox($MB_SYSTEMMODAL, "SQLite Error: " & $iRval, _SQLite_ErrMsg()) EndIf ;MemoWrite("Reading date from SQLite db done.") EndFunc Func auto_ban($sql) ;MemoWrite("Reading date from SQLite db.") Local $aResult, $iRows, $iColumns, $iRval, $minutes_in_ban_list Global $SQLite_db, $hListView $iRval = _SQLite_GetTable2d($SQLite_db, $sql, $aResult, $iRows, $iColumns) If $iRval = $SQLITE_OK Then ;_ArrayDelete($aResult, 0) ;_GUICtrlListView_DeleteAllItems($hListView) ;_GUICtrlListView_AddArray($hListView, $aResult) ;_ArrayDisplay($aResult, "Query Result") $iRows = UBound($aResult)-1 $iCols = UBound($aResult, 2)-1 For $i = 1 To $iRows block_ip_add($aResult[$i][0], $minutes_in_ban_list) MemoWrite("Auto blocking IP: " &$WhatIP& " until: "& $date_to) Next Else MsgBox($MB_SYSTEMMODAL, "SQLite Error: " & $iRval, _SQLite_ErrMsg()) EndIf ;MemoWrite("Reading date from SQLite db done.") EndFunc Func auto_ban_remove($sql) ;MemoWrite("Reading date from SQLite db.") Local $aResult, $iRows, $iColumns, $iRval, $minutes_in_ban_list Global $SQLite_db, $hListView $iRval = _SQLite_GetTable2d($SQLite_db, $sql, $aResult, $iRows, $iColumns) If $iRval = $SQLITE_OK Then ;_ArrayDelete($aResult, 0) ;_GUICtrlListView_DeleteAllItems($hListView) ;_GUICtrlListView_AddArray($hListView, $aResult) ;_ArrayDisplay($aResult, "Query Result") $iRows = UBound($aResult)-1 $iCols = UBound($aResult, 2)-1 For $i = 1 To $iRows block_ip_remove($aResult[$i][0]) ;blocked_ip_list (ID ,ip, date_from, date_to, active) MemoWrite("Auto blocking IP: " &$WhatIP& " REMOVED") Next Else MsgBox($MB_SYSTEMMODAL, "SQLite Error: " & $iRval, _SQLite_ErrMsg()) EndIf ;MemoWrite("Reading date from SQLite db done.") EndFunc Func SQLite_QUERY($sql_qry) Global $SQLite_db MemoWrite($sql_qry) If Not _SQLite_Exec($SQLite_db, $sql_qry) = $SQLITE_OK Then MsgBox($MB_SYSTEMMODAL, "SQLite Error", _SQLite_ErrMsg()) EndIf EndFunc Func _IsChecked($iControlID) Return BitAND(GUICtrlRead($iControlID), $GUI_CHECKED) = $GUI_CHECKED EndFunc ;==>_IsChecked ; Write a line to the memo control Func MemoWrite($sMessage) $time = _Date_Time_SystemTimeToDateTimeStr(_Date_Time_GetLocalTime()) GUICtrlSetData($iMemo, $time &" -> "& $sMessage & @CRLF, 1) EndFunc ;==>MemoWrite Func _GeoLocate($ip) ;by llewxam ShellExecute("http://www.infosniper.net/index.php?ip_address=" & $ip & "&map_source=1&overview_map=1&lang=1&map_type=1&zoom_level=7") EndFunc ;==>_GeoLocate TEST RESULTS for jchd code (14 sec.) 03/11/2014 00:07:20 -> Creating new database at: C:\Users\slau\Desktop\SQLite_v4.db 03/11/2014 00:07:20 -> Creating database structure. 03/11/2014 00:07:20 -> Generating event log from windows 03/11/2014 00:07:22 -> Generating event log done. 03/11/2014 00:07:34 -> Generating event log done. 03/11/2014 00:07:34 -> NEW MODE DATA UPDATE 03/11/2014 00:07:34 -> Reading event log. 03/11/2014 00:07:34 -> Reading event log done. 03/11/2014 00:07:34 -> Phrasing event log. 03/11/2014 00:07:34 -> Phrasing event log done. 03/11/2014 00:07:34 -> Inserting data to SQLite. 03/11/2014 00:07:34 -> Inserting data to SQLite done. TEST RESULTS for MY OLD code ( ~240 sec.) 03/11/2014 00:10:20 -> Creating new database at: C:\Users\slau\Desktop\SQLite_v4.db 03/11/2014 00:10:20 -> Creating database structure. 03/11/2014 00:10:21 -> Generating event log from windows 03/11/2014 00:10:22 -> Generating event log done. 03/11/2014 00:10:22 -> OLD MODE DATA UPDATE 03/11/2014 00:10:22 -> Reading event log. 03/11/2014 00:10:23 -> Reading event log done. 03/11/2014 00:10:23 -> Phrasing event log. 03/11/2014 00:14:07 -> Phrasing event log done. 03/11/2014 00:14:07 -> Inserting data to SQLite. 03/11/2014 00:14:08 -> Inserting data to SQLite done. And the winner is!!!! jchd Great work. But one more testing these modes noticed that found count is not same in one ip Why? for this i atach bigger log if you wuld like to test LOGFILE pasword as before

Your code added to script. Relay great idea! Whats about auto-mode I haven't tested it yet so cant say how it will work. About time stamp it was already done, check updated script in first post, if you will look table blocked_ip_list contains date_from and date_to so it basically is time stamps. Date_from = date when ip was added to block list, date_to when it should be removed. And function block_ip_remove shuld remove any ip's than curent date >= date_to. About scan. Duplicates cant occur because I use EventRecordID as unique so record cant be inserted, but for performance it can be next step for improvement.

Thanks for tips! I have used your idea of status its more easy to manage all IP lists, just haven't got chance to update AdlibRegister functionality as you say it may be a problem on initial read. In future update will be fixed this issue

Would this method be faster than using now? I'm just concern that if any value from line is missing like TargetUserName it can get not correct associated fields values or am I wrong?

Big update

Updated script in first post. Added firewall rules management.