Skip to content

Deprecation of Audit v1 Schema

Published: 30 September 2025

Effective: 31 December 2025

Deprecation notice

To improve audit reliability, query performance, and schema consistency across Coralogix, Audit v1 will be retired as of December 31, 2025. After this date, Audit v1 events will no longer be generated or delivered to your audit account.

Action is required to ensure that your parsing rules, dashboards, alerts, and other v1-based assets function properly. Migrate these assets to Audit v2.

Background

Audit v2 introduces a unified, real-time event schema designed for compliance-focused analysis and efficient query processing. Events are written to a designated audit team as they occur (for example, when a user executes a query or an API operation completes). The schema separates a stable audit envelope (metadata such as eventName, eventKind, cxFeatureGroup, actorDetails, and outcome) from an audit payload (eventData or stringifiedEventData, depending on size).

Find the Audit v2 schema here.

What’s affected

Any asset that depends on the v1 schema or v1-only fields will stop working after the EOL date, including:

  • Parsing rules relying on v1 fields
  • Dashboards/visualizations built on v1 fields or filters
  • Alerts querying v1 fields (e.g., audit_schema_version)
  • Saved searches, background queries, and automations referencing v1 event names/fields
  • Integrations that parse v1 envelopes or payloads

Historical v1 data already archived to S3 will remain available per your archive retention, but new v1 events will not be produced after EOL.

What you need to do

We strongly recommend that existing users migrate to Audit v2 for enhanced functionality.

STEP 1 — Enable Audit v2

Go to Settings → Audit Account and toggle Audit v2 on.

Notes:

  • During the transition, both v1 and v2 logs will be sent to your audit account and will contribute to your data usage. Be mindful of your audit account quota. Contact your CS representative if you anticipate exceeding your quota.

  • In v2 logs, the application name remains unchanged (it’s equal to the teamName), but the subsystem name is changed from service to feature group.

STEP 2 — Confirm your audit team setup

  • Create (or verify) your audit team.
  • Membership in the audit team lets users view audit events.
  • To view/manage audit settings, a user needs:
    • team-auditing: ReadConfig (View settings)
    • team-auditing: UpdateConfig (Manage settings)

STEP 3 — Identify v1 usage in parsing rules, dashboards, and alerts

Use these filters to find assets still relying on v1:

DataPrime (v1 only):

source logs | filter $d.audit_schema_version == 'v1'

Lucene (v1 only):

audit_schema_version:"v1"

DataPrime (v2 only):

source logs | filter $d.auditVersion == 'v2'

Lucene (v2 only):

auditVersion:"v2"

STEP 4 — Recreate dependent assets

Recreate or refactor parsing rules, dashboards, alerts, and other v1-based assets to use the v2 schema. Assets built on v1 will cease to function after EOL.

STEP 5 — Disable v1

Once you have validated v2 coverage and updated all assets, disable Audit v1 in Settings → Audit. This prevents duplicate ingestion and avoids unnecessary quota usage.

What will happen after 31 December 2025?

  • Audit v1 will be permanently disabled.
  • No new v1 events will be generated or delivered to your audit account.
  • Assets that depend on v1 will no longer work.
  • Historical v1 data in your S3 archive remains queryable per your retention, but new data will only be in v2.

Need help?

If you’re unsure whether your environment is impacted or need assistance migrating queries, dashboards, or alerts to v2, contact 24/7 in‑app support or your Technical Account Manager. We can help review your configuration and ensure a smooth transition.

Home
User Guides
DataPrime
Integrations
OpenTelemetry
Developer Portal