Understanding how ADAudit Plus handles security Event Logs and Archiving
In this article :
Question
Explanation
Important considerations
Related topics and articles
Question
I would like to know if there’s a way to store historical security event logs within ADAudit Plus, access older logs, and view the raw event data.
Explanation
ADAudit Plus collects all security-related events from the configured Domain Controllers and processes them before storing them in its internal database or triggering alerts.
However, ADAudit Plus does not retain every raw event that appears in the native Windows Event Viewer. Instead, it performs selective collection and normalisation based on the reports and alert profiles configured within the product.
Here’s what happens under the hood:
ADAudit Plus fetches logs from the network in real time.
It filters out unneeded events according to the audit policies and configurations defined by the administrator.
The product normalises and processes the required events into a standardised format suitable for reporting and alerting.
Only the processed and relevant events are stored in the database, not the raw security event logs.
If you want to verify which event categories are being collected, navigate to:
ADAudit Plus > Configuration > Advanced Configuration
Here you can view and customize the events ADAudit Plus captures. You can also refer to event log library.
Important considerations
To preserve unaltered EVTX files for forensic analysis, compliance, or deep event correlation, you must set up a parallel log retention mechanism using one of the following methods:
Configure Windows Event Forwarding (WEF):
WEF allows Domain Controllers to automatically forward all Security Event Logs to a central Windows Event Collector (WEC) server.
This method helps maintain an archive of original EVTX files in one location without manually exporting from each DC.
For step-by-step guidance, refer to Microsoft’s documentation:
🔗 Configure Windows Event Forwarding
Manual or Automated Export to a SIEM or Collector Tool:
You can use PowerShell scripts or scheduled tasks to periodically export Security Event Logs from each Domain Controller to a SIEM or log management tool, such as ManageEngine EventLog Analyzer.
EventLog Analyzer can ingest these EVTX files directly, index them, and provide advanced correlation, search, and retention capabilities.
Related topics and articles
New to ADSelfService Plus?
Related Articles
How can I set up notifications if ADAudit Plus stops collecting event logs?
In this article: Objective Prerequisites Steps to follow Validation and confirmation Tips Related topics and articles Objective To configure notifications in ADAudit Plus to receive alerts about the product’s performance, failures, and service ...Can I import previously generated security logs into ADAudit Plus?
In this article: Objective Prerequisites Steps to follow Validation and confirmation Tips Related topics and articles Objective Learn how to import EVT/EVTX logs into ADAudit Plus for analysis and auditing by configuring scheduled or one-time imports ...Understanding ADAudit Plus licensing and audit scope in Multi-Domain Controller environments
In this article : Question Explanation Important considerations Related topics and articles Question A customer has four Domain Controllers, but only one Primary Domain Controller. The other three Domain Controllers are additional replicas of the ...Unable to Log Events to Security Logs Event ID 521
In this article Issue description Prerequisites Possible causes Resolution Related topics and articles How to reach support Issue description Event ID 521 is generated when the system fails to write audit events to the Security Log. This typically ...Error: "A Security Package-Specific Error Occurred" (Error Code: 721) in ADAudit Plus
In this article: Issue description Possible causes Prerequisites Resolution Related topics and articles When and how to reach support Issue description When using ManageEngine ADAudit Plus, the following error message appears: "A security ...