Possible to watch for other types of failed logins?

[mad-tunes]

Hi,

I've been looking for something like this for use at home for a good while, and it does a really good job - thanks very much. It still works a treat on Server 2019.

Adding two things would make it even more useful (to me at least, but I'd bet others too):
Watching for VPN login failures too
Logging to a file (so I can read that with another app that doesn't talk windows event logs)

I havent ever touched VB before though, and get nowhere fast trying to add these to ts_block.
Anyone kind enough to point me in the right direction please?

Also, there's one (minor) issue I've found while using it:
If it's created a firewall rule, and you then restart the machine its running on - the rule's left there forever.
It seems that wildcards cant be used when removing firewall rules, so 'remove Blackhole*' wont do the trick. Is just removing all during startup even a valid approach though?
Is there some other way to remove old rules after a restart, or maybe re-import them then remove them once the right periods passed?

[moteus]

May be utils like nxlog can forward logs from file to eventlog.
Perseanally I wrote my own util to deal with the file logs.

[greatquux]

@mad-tunes my fork will allow you to pick (via registry) if you want to use the routing table on later windows versions to create the blackhole route, these routes are non-persistent so don't survive a reboot; i added this originally because i didn't want to use the windows firewall.
https://github.com/greatquux/ts_block

as for adding other types of login failures, that probably would be useful, but seems complicated too lol. https://serverfault.com/questions/233222/ban-ip-address-based-on-x-number-of-unsuccessful-login-attempts has a lot of attempts for various things.