elementary-data · ofek1weiss · Feb 10, 2026
diff --git a/docs/cloud/integrations/log-streaming/datadog.mdx b/docs/cloud/integrations/log-streaming/datadog.mdx
@@ -72,40 +72,22 @@ The log streaming configuration applies to your entire workspace. All logs match
 
 Logs are sent to Datadog with the following structure:
 
-### User Activity Logs
-
-Each user activity log entry includes:
-
 - `timestamp`: ISO 8601 timestamp of the event
+- `log_type`: The type of log (`audit` for user activity logs, `system` for system logs)
 - `status`: Log level (`info` for successful actions, `error` for failed actions)
-- `message`: Human-readable description of the action
-- `service`: Service name (configurable, defaults to `elementary`)
-- `source`: Source tag (configurable, defaults to `elementary-cloud`)
-- `dd.tags`: Additional tags including:
-  - `log_type:audit`
-  - `action:<action_name>` (e.g., `user_login`, `create_test`)
-  - `success:<true|false>`
-  - `user_email:<user_email>`
-  - `env_id:<environment_id>` (if applicable)
-  - `env_name:<environment_name>` (if applicable)
-- Custom attributes from the event content (JSON parsed)
-
-### System Logs
-
-Each system log entry includes:
-
-- `timestamp`: ISO 8601 timestamp of the event
-- `status`: Log level (`info` for successful operations, `error` for failed operations)
-- `message`: Human-readable description of the system event
 - `service`: Service name (configurable, defaults to `elementary`)
 - `source`: Source tag (configurable, defaults to `elementary-cloud`)
+- `event_name`: The specific action that was performed (e.g., `user_login`, `create_test`)
+- `success`: Boolean indicating whether the action completed successfully
+- `user_email`: User email address (only present in audit logs)
+- `user_name`: User display name (only present in audit logs)
+- `env_id`: Environment identifier (empty for account-level actions)
+- `env_name`: Environment name (empty for account-level actions)
+- `event_content`: Additional context-specific information as a JSON object
 - `dd.tags`: Additional tags including:
-  - `log_type:system`
-  - `action:<action_name>` (e.g., `dbt_data_sync_completed`, `alerts_sent`)
-  - `success:<true|false>`
+  - `log_type:<log_type>` (e.g., `audit`, `system`)
+  - `event_name:<event_name>` (e.g., `user_login`, `create_test`)
   - `env_id:<environment_id>` (if applicable)
-  - `env_name:<environment_name>` (if applicable)
-- Custom attributes from the event content (JSON parsed)
 
 ## Viewing Logs in Datadog
 
@@ -115,8 +97,8 @@ You can filter logs using:
 - `source:elementary-cloud` - All Elementary logs
 - `log_type:audit` - User activity logs only
 - `log_type:system` - System logs only
-- `action:<action_name>` - Specific action types
-- `env_name:<environment_name>` - Logs from a specific environment
+- `event_name:<event_name>` - Specific action types
+- `env_id:<environment_id>` - Logs from a specific environment
 - `success:false` - Failed operations only
 
 <Frame>

diff --git a/docs/cloud/integrations/log-streaming/gcs.mdx b/docs/cloud/integrations/log-streaming/gcs.mdx
@@ -121,16 +121,13 @@ Each user activity log entry includes:
 {
   "timestamp": "2024-01-15T14:30:45.123456Z",
   "log_type": "audit",
-  "action": "user_login",
+  "event_name": "user_login",
   "success": true,
-  "user": {
-    "id": "usr_abcdef1234567890",
-    "email": "john.doe@example.com",
-    "name": "John Doe"
-  },
+  "user_email": "john.doe@example.com",
+  "user_name": "John Doe",
   "env_id": "env_7890123456abcdef",
   "env_name": "Production",
-  "data": {
+  "event_content": {
     "additional": "context"
   }
 }
@@ -144,11 +141,11 @@ Each system log entry includes:
 {
   "timestamp": "2024-01-15T14:30:45.123456Z",
   "log_type": "system",
-  "action": "dbt_data_sync_completed",
+  "event_name": "dbt_data_sync_completed",
   "success": true,
   "env_id": "env_7890123456abcdef",
   "env_name": "Production",
-  "data": {
+  "event_content": {
     "environment_id": "env_789",
     "environment_name": "Production"
   }
@@ -159,15 +156,13 @@ Each system log entry includes:
 
 - `timestamp`: ISO 8601 timestamp of the event (UTC)
 - `log_type`: Either `"audit"` for user activity logs or `"system"` for system logs
-- `action`: The specific action that was performed (e.g., `user_login`, `create_test`, `dbt_data_sync_completed`)
+- `event_name`: The specific action that was performed (e.g., `user_login`, `create_test`, `dbt_data_sync_completed`)
 - `success`: Boolean indicating whether the action completed successfully
-- `user`: User information (only present in audit logs)
-  - `id`: User ID
-  - `email`: User email address
-  - `name`: User display name
+- `user_email`: User email address (only present in audit logs)
+- `user_name`: User display name (only present in audit logs)
 - `env_id`: Environment identifier (empty string for account-level actions)
 - `env_name`: Environment name (empty string for account-level actions)
-- `data`: Additional context-specific information as a JSON object
+- `event_content`: Additional context-specific information as a JSON object
 
 <Frame>
   <div className="dark:bg-white rounded-md p-4">

diff --git a/docs/cloud/integrations/log-streaming/splunk.mdx b/docs/cloud/integrations/log-streaming/splunk.mdx
@@ -81,16 +81,13 @@ Each user activity log entry includes:
 {
   "timestamp": "2024-01-15T14:30:45.123456Z",
   "log_type": "audit",
-  "action": "user_login",
+  "event_name": "user_login",
   "success": true,
-  "user": {
-    "id": "usr_abcdef1234567890",
-    "email": "john.doe@example.com",
-    "name": "John Doe"
-  },
+  "user_email": "john.doe@example.com",
+  "user_name": "John Doe",
   "env_id": "env_7890123456abcdef",
   "env_name": "Production",
-  "data": {
+  "event_content": {
     "additional": "context"
   }
 }
@@ -104,11 +101,11 @@ Each system log entry includes:
 {
   "timestamp": "2024-01-15T14:30:45.123456Z",
   "log_type": "system",
-  "action": "dbt_data_sync_completed",
+  "event_name": "dbt_data_sync_completed",
   "success": true,
   "env_id": "env_7890123456abcdef",
   "env_name": "Production",
-  "data": {
+  "event_content": {
     "environment_id": "env_789",
     "environment_name": "Production"
   }
@@ -119,15 +116,13 @@ Each system log entry includes:
 
 - `timestamp`: ISO 8601 timestamp of the event (UTC)
 - `log_type`: Either `"audit"` for user activity logs or `"system"` for system logs
-- `action`: The specific action that was performed (e.g., `user_login`, `create_test`, `dbt_data_sync_completed`)
+- `event_name`: The specific action that was performed (e.g., `user_login`, `create_test`, `dbt_data_sync_completed`)
 - `success`: Boolean indicating whether the action completed successfully
-- `user`: User information (only present in audit logs)
-  - `id`: User ID
-  - `email`: User email address
-  - `name`: User display name
-- `env_id`: Environment identifier (empty string for account-level actions)
-- `env_name`: Environment name (empty string for account-level actions)
-- `data`: Additional context-specific information as a JSON object
+- `user_email`: User email address
+- `user_name`: User display name
+- `env_id`: Environment identifier (empty for account-level actions)
+- `env_name`: Environment name (empty for account-level actions)
+- `event_content`: Additional context-specific information as a JSON object
 
 <Frame>
   <div className="dark:bg-white rounded-md p-4">
@@ -154,8 +149,8 @@ source="elementary-cloud" log_type="audit"
 source="elementary-cloud" log_type="system"
 
 # Search for specific actions
-source="elementary-cloud" action="user_login"
-source="elementary-cloud" action="dbt_data_sync_completed"
+source="elementary-cloud" event_name="user_login"
+source="elementary-cloud" event_name="dbt_data_sync_completed"
 
 # Filter by environment
 source="elementary-cloud" env_name="Production"
@@ -164,7 +159,7 @@ source="elementary-cloud" env_name="Production"
 source="elementary-cloud" success=false
 
 # Search by user email
-source="elementary-cloud" user.email="john.doe@example.com"
+source="elementary-cloud" user_email="john.doe@example.com"
 ```
 
 ## Disabling Log Streaming