diff --git a/dionaea/log_wardenfiler.py b/dionaea/log_wardenfiler.py
index b7b34749b152fa3ee888d78a935ff4c8adda0e34..da70d1d23c7768390c8e5606960322c90bdd959a 100644
--- a/dionaea/log_wardenfiler.py
+++ b/dionaea/log_wardenfiler.py
@@ -106,8 +106,14 @@ class LogWardenfilerHandler(ihandler):
         ihandler.__init__(self, path)
         self.path = path
         self._config = config
+    
+    def _fixup_event(self, event):
+        if 'database' in event and isinstance(event['database'], bytes):
+            event['database'] = str(event['database'], "utf-8", "backslashreplace")
+        return event
 
     def _save_event(self, event):
+        event = self._fixup_event(event)
         f, name = self.filer.create_unique_file()
         with f:
             f.write(json.dumps(event, ensure_ascii = True))
@@ -123,9 +129,9 @@ class LogWardenfilerHandler(ihandler):
         if 'nat_port' in self._config:
             self.nat_port = self._config.get('nat_port')
         if 'anon_mask_4' in self._config:
-            self.nat_port = self._config.get('anon_mask_4')
+            self.anon_mask_4 = self._config.get('anon_mask_4')
         if 'anon_mask_6' in self._config:
-            self.nat_port = self._config.get('anon_mask_6')
+            self.anon_mask_6 = self._config.get('anon_mask_6')
         if 'aggr_win' in self._config:
             self.aggr_win = self._config.get('aggr_win')
         if 'test_mode' in self._config:
@@ -164,8 +170,6 @@ class LogWardenfilerHandler(ihandler):
                 c = a["count"]
                 if c > 1:
                     src_ip, dst_ip, dst_port, proto = i.split(',')
-                    if (self.anon_mask_4 < 32) and (not ':' in  dst_ip) or (self.anon_mask_6 < 128):
-                        Target[0]["Anonymised"] = "true"
                     sevent["ID"] = str(uuid4())
                     if len(a["creds"]):
                         sevent["Category"] = ["Recon.Scanning"]
@@ -176,10 +180,12 @@ class LogWardenfilerHandler(ihandler):
                     sevent["ConnCount"] = c
                     af = "IP4" if not ':' in src_ip else "IP6"
                     proto = [proto]
-                    if a["proto"]
+                    if a["proto"]:
                         proto.append(a["proto"])
                     sevent["Source"] = [{"Proto": proto, af: [src_ip], "Port": a["sports"]}]
                     sevent["Target"] = [{"Proto": proto, af: [dst_ip], "Port": [int(dst_port)]}]
+                    if (self.anon_mask_4 < 32) and (not ':' in  dst_ip) or (self.anon_mask_6 < 128):
+                        sevent["Target"][0]["Anonymised"] = "true"
                     if len(a["creds"]):
                         attach = {
                             "Type": ["Credentials"],
@@ -224,20 +230,26 @@ class LogWardenfilerHandler(ihandler):
             }
             event["Category"].append("Intrusion.UserCompromise")
             if s["proto"]:
-                event["Note"] = p[s["proto"]] + "successful login"
-            else
+                event["Note"] = p[s["proto"]] + " successful login"
+            else:
                 event["Note"] = "Successful login attempt"
             attach = {
                 "Type": ["Credentials"],
                 "Note": "Credentials used by attacker used for simulated honeypot login",
                 "Credentials": s["creds"]
             }
-            event["Attach"] = [attach]
+            if "Attach" not in event:
+                event["Attach"] = []
+            event["Attach"].append(attach)
+        else:
+            # login without password or similar thing
+            event["Category"].append("Intrusion.UserCompromise")
+            event["Note"] = "Failed login attempt"
 
         if len(s["cmds"]):
             event["Category"].append("Attempt.Exploit")
             event["Note"] += " with unauthorized command input"
-            idata = "\n".join(str(c) for c in s[cmds])
+            idata = "\n".join(str(c) for c in s["cmds"])
             plain = all(c in string.printable for c in idata)
             eidata = idata if plain else b64encode(idata.encode()).decode()
             attach = {
@@ -249,14 +261,22 @@ class LogWardenfilerHandler(ihandler):
             }
             if not plain:
                 attach["ContentEncoding"] = "base64"
+            if "Attach" not in event:
+                event["Attach"] = []
             event["Attach"].append(attach)
 
         return(event)
 
-    def _register_connection(self, con, proto = None, cred = None, cmd = None)
+    def _register_connection(self, con, proto = None, cred = None, cmd = None):
         if not con in self.sessions:
-            src_ip = con.remote.host.lstrip("::ffff:")
-            dst_ip = con.local.host.lstrip("::ffff:")
+            self.sessions[con] = {}
+
+            src_ip = con.remote.host
+            dst_ip = con.local.host
+            if src_ip.startswith("::ffff:"):
+                src_ip = src_ip[7:]
+            if dst_ip.startswith("::ffff:"):
+                dst_ip = dst_ip[7:]
 
             if self.resolve_nat:
                 s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
@@ -292,9 +312,9 @@ class LogWardenfilerHandler(ihandler):
             self.sessions[con]["creds"] = []
             self.sessions[con]["cmds"] = []
 
-        aid = ','.join((src_ip, dst_ip, str(con.local.port), con.transport))
+        aid = ','.join((self.sessions[con]["src_ip"], self.sessions[con]["dst_ip"], str(con.local.port), con.transport))
 
-        if not aid in in self.attackers:
+        if not aid in self.attackers:
             self.attackers[aid] = {
                 "count": 0,
                 "sports": [],
@@ -357,7 +377,7 @@ class LogWardenfilerHandler(ihandler):
         con = icd.con
         cmd = icd.command.decode()
         if hasattr(icd, 'arguments'):
-            cmd = " ".join([cmd], icd.arguments)
+            cmd += " " + " ".join(icd.arguments)
         self._register_connection(con, "ftp", cmd = cmd)
         logger.info("new FTP command within connection from %s:%i to %s:%i" % (con.remote.host, con.remote.port, con.local.host, con.local.port))
 
@@ -368,9 +388,9 @@ class LogWardenfilerHandler(ihandler):
 
     def handle_incident_dionaea_modules_python_mysql_command(self, icd):
         con = icd.con
-        cmd = icd.command
+        cmd = str(icd.command)
         if hasattr(icd, 'args'):
-            cmd = " ".join([cmd], icd.args)
+            cmd += "\n" + "\n".join(icd.args)
         self._register_connection(con, "mysql", cmd = cmd)
         logger.info("new MYSQL command within connection from %s:%i to %s:%i" % (con.remote.host, con.remote.port, con.local.host, con.local.port))