How to Inspect Windows Event Logs for Kerberos Errors from Caisey Without Exporting .EVTX Files Over Email

When a client calls about intermittent Active Directory authentication failures, the traditional troubleshooting path puts sensitive data at risk. Most technicians RDP to a domain controller, open Event Viewer, export a .EVTX file, and email it to themselves or a colleague for analysis. That file contains every event in the log—not just the Kerberos pre-authentication failures you need—and it leaves the endpoint with no meaningful audit trail of who accessed what.

Caisey handles this differently. The runtime on the enrolled domain controller executes filtered queries locally, streams results to your browser, and records every step in session history. No file export. No email attachment. No screen sharing session to a production server.

The Problem with .EVTX Exports

Event log exports seem convenient until you trace what actually happens. A 500 MB .EVTX file from a busy domain controller contains account names, IP addresses, workstation names, and sometimes service principal names that reveal application architecture. Once that file hits an inbox or a file share, you lose control over it.

The audit gap is worse. Windows Event Viewer does not log who exported which filter criteria. Your RDP session might be logged, but the specific events a technician reviewed disappear into their local workstation. If a compliance auditor asks six months later who accessed authentication failure data for a specific user account, you have no precise answer.

Setting Up the Kerberos Query in Caisey

Start by locating the enrolled domain controller in Caisey's client grouping. The machine card shows enrollment status, last runtime heartbeat, and current user context. Select the device and open a new session.

Before any event log access, Caisey checks your organization's approval policy. If your MSP has configured security-sensitive operations to require sign-off, the session pauses and notifies the designated security officer. The approval prompt includes the specific operation—"Execute Get-WinEvent with XPath filter on Security log"—and the target machine. This is not a generic UAC elevation; it is a policy-gated authorization tied to your documented change management process.

Once approved, the Caisey runtime on the domain controller executes:

Get-WinEvent -LogName Security -FilterXPath "*[System[EventID=4771]]" -MaxEvents 100

The runtime applies the XPath filter before transmitting anything. Only matching events leave the endpoint. The results stream to your browser chat in real time, formatted for readability, with timestamps and account names intact.

Why Streaming Beats Exporting

The critical difference is data sovereignty. Events never rest as a complete file on any intermediate system. The runtime holds the query results in memory, streams them through the Cloudflare Worker control plane, and delivers them to your browser session. When you close the session or the runtime disconnects, the transient data disappears.

Your browser sees exactly what the filter returned—Kerberos pre-authentication failure events with failure codes you can map to specific issues. Code 0x18 means a bad password. Code 0x12 means the account is disabled. Code 0x6 means the user account has been locked out. You get this diagnostic signal without the noise of 4624 logon events, 4768 TGT requests, or 4769 service ticket requests that would bloat an exported log.

If you need a broader view, refine the filter in the same session:

Get-WinEvent -LogName Security -FilterXPath "*[System[(EventID=4771 or EventID=4768 or EventID=4769) and TimeCreated[timediff(@SystemTime) <= 86400000]]]" -MaxEvents 250

This captures Kerberos-related events from the last 24 hours. The session history records both queries, who executed them, and what approval authorized each one.

The Audit Trail You Actually Need

Session history in Caisey is not a compliance decoration. It is an operational tool you use during the same incident. When the client reports the authentication issue is resolved, you return to the session record and run the original filter again. Compare the event count: 47 pre-authentication failures in the first query, zero in the verification query. The fix—perhaps a password reset, clock synchronization, or SPN correction—worked.

The transcript shows the security officer who approved the initial access, the exact XPath filter used, the timestamp of both queries, and the technician who executed them. If the client later questions whether their event logs were handled properly, you have a reviewed transcript you can share without exposing unrelated event data.

Handling Approval Prompt Recovery

Approval gates only work if they are reliable. If the security officer is in a meeting when the Kerberos investigation is urgent, Caisey's stalled prompt recovery does not simply extend the timeout indefinitely. The system notifies alternative approvers according to your escalation policy and records the delay in operational analytics. You can see which approval types bottleneck your incident response and adjust coverage accordingly.

Comparing to Alternative Approaches

PowerShell over a traditional RMM avoids the .EVTX export but introduces its own problems. The RMM's script execution window typically runs without session persistence—if your connection drops mid-query, you lose the output and the audit trail. Manual transcript recording is inconsistent. Screen sharing to the domain controller's desktop exposes the full Event Viewer interface, including unrelated events and potentially other technicians' sessions.

Caisey's bridge-based endpoint connectivity means you do not need VPN access or direct RDP to the domain controller. The runtime maintains its connection through network changes, and the browser-coordinated query executes even when you are troubleshooting from a different continent.

Operationalizing the Pattern

After resolving two or three Kerberos incidents this way, your team will recognize the failure code patterns without reference lookups. The session history becomes a searchable knowledge base. When the same client's authentication issues recur, you find the previous Caisey session, verify the same filter approach, and check whether the root cause was actually fixed or just suppressed.

For MSPs managing multiple Active Directory environments, this workflow scales without scaling risk. Each client's domain controllers remain in their own Clerk-based org isolation. A technician searching for "Kerberos 4771" sees only machines they have permission to access, and every query is scoped to a single enrolled endpoint with its own approval history.

The .EVTX export habit dies hard because it feels like having "the data." But the data you need is the filtered, interpreted signal—not the raw log mass. Caisey's runtime-local filtering gives you that signal with controls that match how modern MSPs actually operate: distributed, audited, and accountable.