@packetzero Yes, the rest of the log is formatted right, but under the

data

column, I see something like this:

:{"data":"{\"EventData\":{\"AuthenticationPackageName\":\"Kerberos\",\"ImpersonationLevel\":

that looks right. Hard to look at, but you should be able to parse that string with JSON parser.