How to restore archived events in ADAudit Plus

How to restore archived events in ADAudit Plus

Objective   

To restore archived event data or backed-up Evt/Evtx files in ADAudit Plus so you can access older audit logs for reporting, forensic analysis, or compliance purposes.

 Prerequisites   

  • You must have administrative access or delegate permission to perform the action in the ADAudit Plus web console.

  • Archived event data must be available in the archive folder configured in ADAudit Plus.

Steps to follow 

Step 1: Understand why restoring archived events is required 

The Restore Archived Events option is used when you need to generate reports for older event data that was previously archived or cleared from the working database. This can include data processed by ADAudit Plus or backed-up Evt/Evtx files.

 Step 2: Learn how older data is archived

 When event log data is cleared from the database, it is compressed into ZIP files and stored in an archive folder.
  • The archive folder is configured under Archive Events in ADAudit Plus.

  • By default, the folder is located at:
    <installation directory>\archive

  • Each ZIP file contains event data for a specific report category and time range.

 Step 3: Restore archived data 

  1. In the ADAudit Plus web console, go to Admin > Configuration > click Restore Archived Events.
  2. You will see all archived event data displayed by category and date range, with options to load or unload data.

  3. Locate the date range you want to restore.

  4. Click the Load Data icon to bring the archived data back into the working database.

  5. You can repeat this step to select one or more date ranges, depending on which events you want to restore.

  6. After the data has been restored, go to the Reports tab.

  7. Select Custom Range as the date filter in the report you want to view. The restored events will now appear in report results.

 Step 4: Re-archive restored events

 Once archived events have been restored, you can unload them when you no longer need them in the working database:
  1. In the list of restored data, find the entry you want to re-archive.

  2. Click the Unload icon (load data icon) next to the restored data.

  3. This will immediately move the data back to the archive folder.

Note:
Any restored archived data that remains in the database for more than two days (48 hours) will be automatically re-archived by ADAudit Plus.

 Validation and confirmation 

  • Confirm that the restored event data appears in the Reports tab by selecting the custom period covering the restored date range.
  • Review the specific report categories to ensure older audit events are displayed correctly.

  • Check that any unloaded data no longer appears in the working database after re-archiving.

 Tips 

  • Always verify available disk space before restoring large volumes of archived data.
  • Use precise date ranges to avoid restoring more data than necessary.

  • Plan re-archiving to keep your working database optimized and to maintain reporting performance.


      New to M365 Manager Plus?
      New to M365 Manager Plus?
        New to RecoveryManager Plus?
        New to RecoveryManager Plus?
          New to Exchange Reporter Plus?
          New to Exchange Reporter Plus?
            New to SharePoint Manager Plus?
            New to SharePoint Manager Plus?
                See all integrations
                New to ADManager Plus?
                See all integrations
                New to ADManager Plus?

                  New to ADSelfService Plus?

                  Start your free trial
                  Start your free trial

                      Related Products