Security Event log filtering

jared-derby1 · April 3, 2015, 12:56am

We are tracking event id 4771 bad pwd events by forwarding them from all dc’s to a 2012 admin. server. I have figured out how to filter the xml data to find a given user. Now what I’m looking to do is pull data from each of the individual events:

Sample event:

Kerberos pre-authentication failed.

Account Information:
Security ID: *************
Account Name: %username%

Service Information:
Service Name: *******

Network Information:
Client Address: ::ffff:*******8
Client Port: 62980

Additional Information:
Ticket Options: 0x40810010
Failure Code: 0x18
Pre-Authentication Type: 2

I truncated the rest off.

I would like to pull just the Network Information: and specifically the client address, and then export the data via csv.

Any help in pointing me to the right direction would be great.

daniel-krebs · April 3, 2015, 3:03am

Checkout these resources found via a Google search for “powershell event 4771 script”:

http://blogs.technet.com/b/heyscriptingguy/archive/2012/12/27/use-powershell-to-find-the-location-of-a-locked-out-user.aspx
http://blogs.technet.com/b/nzdse/archive/2011/12/11/powershell-script-retrieve-specific-event-id-s-from-event-log-on-multiple-computers.aspx

Topic		Replies	Views
remote pc forensics PowerShell Help	1	155	July 31, 2020
Powershell Script PowerShell Help	3	160	November 7, 2018
Account Lockout PowerShell Help	9	126	November 9, 2016
Ask : Filtering event log using event data PowerShell Help	2	138	April 28, 2017
Specific event to monitor and save. PowerShell Help	4	181	December 8, 2020

Security Event log filtering

Related Topics