Event viewer security log not updating
You can correlate logon and logoff events by Logon ID which is a hexadecimal code that identifies that particular logon session.
After logging on to a workstation you can typically re-connect to shared folders on a file server. Remember, whenever you access a Windows computer you must obtain a logon session – in this case a “network logon” session.
In this case both the authentication and logon occur on the very same computer because you logged on to the local computer using a local account.
Therefore you will see both an Account Logon event (680/4776 ) and a Logon/Logoff (528/4624) event in its security log.
You might assume that the logon session begins when you connect to the share and then ends when you disconnect from it – usually when logging off your local workstation.
Unfortunately this is not the case: Windows servers only keep network logon sessions alive for as long as you have a file open on the server.
What if we logon to the workstation with an account from a trusted domain?In that case one of the domain controllers in the trusted domain will handle the authentication and log 672/4768 there, with the workstation logging 528/4624 the same as above.In all such “interactive logons”, during logoff, the workstation will record a “logoff initiated” event (551/4647) followed by the actual logoff event (538/4634).In all such cases you will need to look at the Logon Type specified in the logon event 528/540/4624.A full list of Logon Types is provided at the provided links for those events but in short: When you logon to your workstation or access a shared folder on a file server, you are not “logging onto the domain”.
When you logon at the console of the server the events logged are the same as those with interactive logons at the workstation as described above.