Listing 1: Command to Extract Kerberos Failed Authentication Events
logparser "SELECT TimeGenerated, EXTRACT_TOKEN(Strings,0,'|') AS UserName, 
EXTRACT_TOKEN(Strings,9,'|') AS IPAddress, EXTRACT_TOKEN(Strings,6,'|') AS 
FailureCode, REPLACE_IF_NULL(EXTRACT_VALUE('0x6=Bad username!0xC=Logon 
workstation restriction!0x12=Account disabled, expired or locked out or logon time 
restriction!0x17=Password expired!0x18=Bad password!0x20=Ticket expired!0x25=Clock 
skew',FailureCode,'!'),'Please see error codes in Kerberos RFC 
http://www.ietf.org/rfc/rfc1510.txt') AS FailureDesc FROM Security WHERE (EventID=672) 
AND EventType=16"