# Deprecation of Audit v1 schema **Published:** September 30, 2025 **Effective:** December 31, 2025 ## Deprecation notice To improve audit reliability, query performance, and schema consistency across Coralogix, **Audit v1 will be retired as of December 31, 2025**. After this date, **Audit v1 events will no longer be generated or delivered** to your audit account. **Action is required** to ensure that your parsing rules, dashboards, alerts, and other v1-based assets function properly. Migrate these assets to **Audit v2**. ## Background Audit v2 introduces a unified, real-time event schema designed for compliance-focused analysis and efficient query processing. Events are written to a designated **audit team** as they occur (for example, when a user executes a query or an API operation completes). The schema separates a stable **audit envelope** (metadata such as `eventName`, `eventKind`, `cxFeatureGroup`, `actorDetails`, and `outcome`) from an **audit payload** (`eventData` or `stringifiedEventData`, depending on size). Find the Audit v2 schema [here](https://coralogix.com/docs/user-guides/data-layer/system_dataspace/aaa_audit-events/index.md). ## What’s affected Any asset that depends on the **v1 schema or v1-only fields** will stop working after the EOL date, including: - **Parsing rules** relying on v1 fields - **Dashboards/visualizations** built on v1 fields or filters - **Alerts** querying v1 fields (e.g., `audit_schema_version`) - **Saved searches, background queries, and automations** referencing v1 event names/fields - **Integrations** that parse v1 envelopes or payloads Historical **v1 data already archived to S3** will remain available per your archive retention, but **new v1 events will not be produced** after EOL. ## What you need to do [Audit v2](https://coralogix.com/docs/user-guides/data-layer/system_dataspace/aaa_audit-events/index.md) has been enabled for all user accounts. Here is what you need to do: ### STEP 1 — Identify v1 usage in parsing rules, dashboards, and alerts Use these filters to find assets still relying on v1: **DataPrime (v1 only):** ```text source logs | filter $d.audit_schema_version == 'v1' ``` **Lucene (v1 only):** ```text audit_schema_version:"v1" ``` **DataPrime (v2 only):** ```text source logs | filter $d.auditVersion == 'v2' ``` **Lucene (v2 only):** ```text auditVersion:"v2" ``` ### STEP 2 — Recreate dependent assets Recreate or refactor **parsing rules**, **dashboards, alerts, and other v1-based assets** to use the [v2 schema](https://coralogix.com/docs/user-guides/data-layer/system_dataspace/aaa_audit-events/index.md). Assets built on v1 will cease to function after EOL. ### STEP 3 — Disable v1 Once you have validated v2 coverage and updated all assets, **disable Audit v1** in **Settings → Audit**. This prevents duplicate ingestion and avoids unnecessary quota usage. ## What will happen after 31 December 2025? - **Audit v1 will be permanently disabled.** - **No new v1 events** will be generated or delivered to your audit account. - **Assets** that depend on v1 will no longer work. - Historical **v1 data in your S3 archive** remains queryable per your retention, but new data will only be in **v2**. ## Need help? If you’re unsure whether your environment is impacted or need assistance migrating queries, dashboards, or alerts to v2, contact **24/7 in‑app support** or your **Technical Account Manager**. We can help review your configuration and ensure a smooth transition.