We are tracking event id 4771 bad pwd events by forwarding them from all dc’s to a 2012 admin. server. I have figured out how to filter the xml data to find a given user. Now what I’m looking to do is pull data from each of the individual events:
Kerberos pre-authentication failed.
Security ID: *************
Account Name: %username%
Service Name: *******
Client Address: ::ffff:*******8
Client Port: 62980
Ticket Options: 0x40810010
Failure Code: 0x18
Pre-Authentication Type: 2
I truncated the rest off.
I would like to pull just the Network Information: and specifically the client address, and then export the data via csv.
Any help in pointing me to the right direction would be great.