Copy as Markdown[Open in ChatGPT](https://chatgpt.com/?q=Read%20https%3A%2F%2Fcoralogix.com%2Fdocs%2Fuser-guides%2Flatest-updates%2Fdeprecations%2Faudit-v1.md%20and%20help%20me%20with%20my%20question%20about%20this%20Coralogix%20documentation%20page.)[Open in Claude](https://claude.ai/new?q=Read%20https%3A%2F%2Fcoralogix.com%2Fdocs%2Fuser-guides%2Flatest-updates%2Fdeprecations%2Faudit-v1.md%20and%20help%20me%20with%20my%20question%20about%20this%20Coralogix%20documentation%20page.)

# Deprecation of Audit v1 schema

**Published:** September 30, 2025

**Effective:** December 31, 2025

## Deprecation notice[​](#deprecation-notice "Direct link to Deprecation notice")

To improve audit reliability, query performance, and schema consistency across Coralogix, **Audit v1 will be retired as of December 31, 2025**. After this date, **Audit v1 events will no longer be generated or delivered** to your audit account.

**Action is required** to ensure that your parsing rules, dashboards, alerts, and other v1-based assets function properly. Migrate these assets to **Audit v2**.

## Background[​](#background "Direct link to Background")

Audit v2 introduces a unified, real-time event schema designed for compliance-focused analysis and efficient query processing. Events are written to a designated **audit team** as they occur (for example, when a user executes a query or an API operation completes). The schema separates a stable **audit envelope** (metadata such as `eventName`, `eventKind`, `cxFeatureGroup`, `actorDetails`, and `outcome`) from an **audit payload** (`eventData` or `stringifiedEventData`, depending on size).

Find the Audit v2 schema [here](https://coralogix.com/docs/docs/user-guides/data-layer/system_dataspace/aaa_audit-events/.md).

## What’s affected[​](#whats-affected "Direct link to What’s affected")

Any asset that depends on the **v1 schema or v1-only fields** will stop working after the EOL date, including:

* **Parsing rules** relying on v1 fields
* **Dashboards/visualizations** built on v1 fields or filters
* **Alerts** querying v1 fields (e.g., `audit_schema_version`)
* **Saved searches, background queries, and automations** referencing v1 event names/fields
* **Integrations** that parse v1 envelopes or payloads

Historical **v1 data already archived to S3** will remain available per your archive retention, but **new v1 events will not be produced** after EOL.

## What you need to do[​](#what-you-need-to-do "Direct link to What you need to do")

[Audit v2](https://coralogix.com/docs/docs/user-guides/data-layer/system_dataspace/aaa_audit-events/.md) has been enabled for all user accounts. Here is what you need to do:

### STEP 1 — Identify v1 usage in parsing rules, dashboards, and alerts[​](#step-1--identify-v1-usage-in-parsing-rules-dashboards-and-alerts "Direct link to STEP 1 — Identify v1 usage in parsing rules, dashboards, and alerts")

Use these filters to find assets still relying on v1:

**DataPrime (v1 only):**

```
source logs | filter $d.audit_schema_version == 'v1'
```

**Lucene (v1 only):**

```
audit_schema_version:"v1"
```

**DataPrime (v2 only):**

```
source logs | filter $d.auditVersion == 'v2'
```

**Lucene (v2 only):**

```
auditVersion:"v2"
```

### STEP 2 — Recreate dependent assets[​](#step-2--recreate-dependent-assets "Direct link to STEP 2 — Recreate dependent assets")

Recreate or refactor **parsing rules**, **dashboards, alerts, and other v1-based assets** to use the [v2 schema](https://coralogix.com/docs/docs/user-guides/data-layer/system_dataspace/aaa_audit-events/.md). Assets built on v1 will cease to function after EOL.

### STEP 3 — Disable v1[​](#step-3--disable-v1 "Direct link to STEP 3 — Disable v1")

Once you have validated v2 coverage and updated all assets, **disable Audit v1** in **Settings → Audit**. This prevents duplicate ingestion and avoids unnecessary quota usage.

## What will happen after 31 December 2025?[​](#what-will-happen-after-31-december-2025 "Direct link to What will happen after 31 December 2025?")

* **Audit v1 will be permanently disabled.**
* **No new v1 events** will be generated or delivered to your audit account.
* **Assets** that depend on v1 will no longer work.
* Historical **v1 data in your S3 archive** remains queryable per your retention, but new data will only be in **v2**.

## Need help?[​](#need-help "Direct link to Need help?")

If you’re unsure whether your environment is impacted or need assistance migrating queries, dashboards, or alerts to v2, contact **24/7 in‑app support** or your **Technical Account Manager**. We can help review your configuration and ensure a smooth transition.
