Here's my scenario.
Our users regularly lock their AD accounts because they change their AD password and something else is still using it e.g. 1: an RDP session on a server 2: A PC 3: their mobile phone connection to the wireless etc etc. They call the Help desk and they raise a ticket and assign it to the AD team (yes this is crazy).
What we have so far is that all 2008 DC's send any "4740" lockout events to the "forwarded events" log on a single server. It's easy to "find" a user name in this single log file and look at the "Caller Computer Name" for which device locked the account. But we can get upwards of 6 lockouts per day.
What I'd like to do is export the fields from the "forwarded events" log to an xml file, upload that to a Sharepoint site which then either display the XML file or give a search box option for the Help Desk to use.
The problem is: the data exported from "forwardedevents.evtx" is not on easily identifiable lines eg (this is a just the specific fields from the first XML file, and the ":" colons at the start of the lines are in reality "<" characters)
<LST>
<T>System.Diagnostics.Eventing.Reader.EventProperty</T>
</TN>
<ToString>System.Diagnostics.Eventing.Reader.EventProperty</ToString>
<S N="Value">USERNAME</S>
</Props>
</Obj>
<ToString>System.Diagnostics.Eventing.Reader.EventProperty</ToString>
<S N="Value">LOCKOUTDEVICENAME</S>
</Props>
</Obj>
<ToString>System.Diagnostics.Eventing.Reader.EventProperty</ToString>
<S N="Value">S-1-5-21-1374728295-2581122833-3067303445-123456</S>
</Props>
</Obj>
<ToString>System.Diagnostics.Eventing.Reader.EventProperty</ToString>
<S N="Value">S-1-5-18</S>
</Props>
</Obj>
<ToString>System.Diagnostics.Eventing.Reader.EventProperty</ToString>
</Obj>
<ToString>System.Diagnostics.Eventing.Reader.EventProperty</ToString>
<S N="Value">DOMAINYY</S>
</Props>
</Obj>
<ToString>System.Diagnostics.Eventing.Reader.EventProperty</ToString>
</Obj>
</LST>
The data is also in another field.
<S N="Message">A user account was locked
out._x000D__x000A__x000D__x000A_Subject:_x000D__x000A__x0009_Security
ID:_x0009__x0009_S-1-5-18_x000D__x000A__x0009_Account
Name:_x0009__x0009_DC1$_x000D__x000A__x0009_Account
Domain:_x0009__x0009_DOMAINYY_x000D__x000A__x0009_Logon
ID:_x0009__x0009_0x3e7_x000D__x000A__x000D__x000A_Account That Was Locked
Out:_x000D__x000A__x0009_Security
ID:_x0009__x0009_S-1-5-21-1374728295-2581122839-3067303445-123456_x000D__x000A__x0009_Account
Name:_x0009__x0009_USERNAME_x000D__x000A__x000D__x000A_Additional
Information:_x000D__x000A__x0009_Caller Computer
Name:_x0009_LOCKOUTDEVICENAME</S>
</MS>
The fields I want to export to the xml file for the Sharepoint site are
DC1$
USERNAME
LOCKOUTDEVICENAME
Any clues how I can do this?