Home / file parsed but not updating / Event viewer security log not updating

Event viewer security log not updating

In this case the same 528/4624 event is logged but the logon type indicates a “remote interactive” (aka Remote Desktop) logon. When looking at logon events we need to consider what type of logon are we dealing with: is this an interactive logon at the console of the sever indicating the user was physically present, or is it a remote desktop logon?For that matter the logon could be associated with a service starting or a scheduled task kicking off.An area of audit logging that is often confusing is the difference between two categories in the Windows security log: Account Logon events and Logon/Logoff events.These two categories are related but distinct, and the similarity in the naming convention contributes to the confusion.You might assume that the logon session begins when you connect to the share and then ends when you disconnect from it – usually when logging off your local workstation.Unfortunately this is not the case: Windows servers only keep network logon sessions alive for as long as you have a file open on the server.The only type of account you can logon with in this case is a local user account defined in Computer Management \ Local Users and Groups.You don’t hear the term much anymore but local accounts and SAM accounts are the same thing.

Therefore you will see both an Account Logon event (680/4776 [1]) and a Logon/Logoff (528/4624) event in its security log.On domain controllers you often see one or more logon/logoff pairs immediately following authentication events for the same user.But these logon/logoff events are generated by the group policy client on the local computer retrieving the applicable group policy objects from the domain controller so that policy can be applied for that user.Then approximately every 90 minutes, Windows refreshes group policy and you see a network logon and logoff on the domain controller again.These network logon/logoff events are little more than noise.In all such cases you will need to look at the Logon Type specified in the logon event 528/540/4624.A full list of Logon Types is provided at the provided links for those events but in short: When you logon to your workstation or access a shared folder on a file server, you are not “logging onto the domain”.When you logon at the console of the server the events logged are the same as those with interactive logons at the workstation as described above.More often though, you logon to a member server via Remote Desktop.Basically, after your initial authentication to the domain controller which logs log 672/4768 you also obtain a service ticket (673, 4769) for every computer you logon to including your workstation, the domain controller itself for the purpose of group policy and any member servers such as in connection with shared folder access.Then as computers remain up and running and users remain logged on, tickets expire and have to be renewed which all generate further Account Logon events on the domain controller.


  1. Reposting is not permitted without express written permission. and structure will be defined as a basis for the Windows Event Logging framework and log. Windows Logs and this includes the Application, Security, and System channels.

  2. Jul 20, 2011. An area of audit logging that is often confusing is the difference between. in the Windows security log Account Logon events and Logon/Logoff events. the security logs of all your domain controllers – security logs are not.

  3. Jul 24, 2017. One security engineer's trials and tribulations attempting to comprehend. When using the Windows Event Forwarding service, the event logs are. Aside from the obvious benefit of not having to deploy any. New machines are automatically enrolled into the logging infrastructure after joining the domain

  4. The Security Log, in Microsoft Windows, is a log that contains records of login/logout activity or. The Security Log is one of three logs viewable under Event Viewer. and computer name being logged as well as the user name they are logging into. Windows 2000 Web Server, for instance, does not log IP addresses for.

  5. Oct 19, 2016. If a network administrator does not turn on logging or does not log the correct events, digging up forensic evidence to identify the time and date.

Leave a Reply

Your email address will not be published. Required fields are marked *