Security Event log filtering This topic contains 1 reply, has 2 voices, and was last updated by Daniel Krebs 2 years, 5 months ago. Author Posts April 3, 2015 at 6:26 am #23934 Jared DerbyParticipant We are tracking event id 4771 bad pwd events by forwarding them from all dc's to a 2012 admin. server. I have figured out how to filter the xml data to find a given user. Now what I'm looking to do is pull data from each of the individual events: Sample event: Kerberos pre-authentication failed. Account Information: Security ID: ************* Account Name: %username% Service Information: Service Name: ******* Network Information: Client Address: ::ffff:*******8 Client Port: 62980 Additional Information: Ticket Options: 0x40810010 Failure Code: 0x18 Pre-Authentication Type: 2 I truncated the rest off. I would like to pull just the Network Information: and specifically the client address, and then export the data via csv. Any help in pointing me to the right direction would be great. April 3, 2015 at 8:33 am #23937 Daniel KrebsModerator Checkout these resources found via a Google search for "powershell event 4771 script": http://blogs.technet.com/b/heyscriptingguy/archive/2012/12/27/use-powershell-to-find-the-location-of-a-locked-out-user.aspx http://blogs.technet.com/b/nzdse/archive/2011/12/11/powershell-script-retrieve-specific-event-id-s-from-event-log-on-multiple-computers.aspx Author Posts You must be logged in to reply to this topic.