Log exporting is in the beta phase of development and may not be available on your enrollment. Functionality may change during active development. Contact Palantir Support for more information.
Applications across Foundry emit logs that provide visibility into their operation, including transform runs, build failures, and other system events.
Foundry logs contain information about:
Additionally, any user-added logs written in Code Repositories will also be emitted.
These logs can be exported to a Foundry streaming dataset for real-time monitoring and analysis. This feature is only available to Organization Administrators, who can configure a destination where logs from Foundry applications will flow into a Foundry streaming dataset.
Along with log export management, Ontology and AIP in platform log access is managed by Organization Administrators and Information Security Officers.
To start managing the log observability settings for your organization:
Log observability settings and select the relevant page in the search results.
Foundry logs can be exported, per-organization, directly into a Foundry streaming dataset.
After defining an export configuration, log entries will be continuously written to the streaming dataset from the time the configuration is created. You can process and analyze the data in real-time using Foundry's extensive suite of data transformation and visualization tools or export the logs to external monitoring systems.
To export Foundry logs, a user must be an Organization Administrator. This role provides the necessary permissions to configure log exporting destinations for the organization. See organization permissions for more details about organization-level permissions.
Log data might contain sensitive information. We recommend applying security markings to the output streaming dataset to control access to this data. You can apply markings directly during export creation or add them to the dataset afterward.
Foundry logs can be exported from resources belonging to a set of projects, or from all resources in the organization. Some limitations apply when defining an export configuration:
We recommend exporting logs from resources in specific projects rather than all organizational resources. This will simplify access control for the resulting dataset.
Follow the steps below to define an export configuration:






Note that when first configuring a log export, it may take up to five minutes for logs to begin streaming into the dataset at the export location.
To disable log exporting, delete any listed log storage configurations by selecting the trash icon on the right side of the configuration. The resulting dataset will continue to exist, but no new logs will be exported to it. Additionally, if the streaming dataset is in the trash or permanently deleted, logs will stop being exported.
Log storage datasets can contain high volumes of streaming data, so we recommend filtering the dataset appropriately before performing analysis. Consider time-based filtering to focus on relevant log entries for your monitoring and troubleshooting needs.
Foundry provides many powerful tools for performing log analysis, such as Transforms and Pipeline Builder.
Foundry application logs are structured logs that follow a consistent schema, making them suitable for programmatic analysis and monitoring.
Specifically, Foundry logs contain information about various application events, including transform executions, build processes, system errors, and other operational activities. The log structure varies depending on the type of application or service that generates the log entry.
Application-specific information is captured within structured fields that provide context about the operation being performed, including execution details, error information, and performance metrics.
Foundry provides two schema types:

Foundry application logs are generated by various services and applications within the platform. When logs are streamed to the configured dataset, they are filtered to include only logs relevant to the organization that configured the log storage configuration.
Log exports configured for a given organization will receive logs from applications and services used by that organization. This includes transform executions, builds, and other activities performed within the organization's context.
The RID of the resource that generated the log is included in the log entry and can be used to trace the log back to the resource.
Foundry logs are not audit logs. There is no guarantee of 100% reliable log delivery.
Log contents produced by Foundry are subject to change without notice.
Ontology and AIP in platform log access is managed at the project level. The log access controls for in platform viewing are distinct from the permissions configured for the export streaming dataset. These controls pertain specifically to functions, actions, automation workflows, and language models called from enabled projects.
Service and trace logs can contain sensitive content from any data source a workflow reaches, including language model prompts and completions, object property values, and user-supplied inputs. The platform does not propagate markings from the source executor's resource or from any data the execution accessed; only the markings you select when enabling log access are enforced on viewers. Select markings that reflect the maximum sensitivity of any data the workflow may touch, and review the resulting access scope before enabling.
You can configure in-platform log access from Control Panel or directly from a resource node in Workflow Lineage.
A user must have the following to view logs (with 30-day retention) they did not invoke:
Specifically, the Edit permission requirement corresponds to the foundry-telemetry-service:view-execution-history operation, which the Editor role grants by default. You can grant this operation through a different role using custom roles.
Independent of the log access status managed by the administrator, users are able to see logs of executions they ran within the past 24 hours. This exception does not apply on CBAC stacks.
For the authoritative list of viewing requirements and the roles they map to, see Log permissions.
To manage the in platform log access controls by project:





In addition to the Control Panel flow, an administrator can review and adjust a resource's log access from the Log access overview dialog in Workflow Lineage. Open the dialog as described in Log permissions, then select Edit on the Log access policy requirement to open the configuration step.
We recommend project-level log access. Select Configure in Control Panel to enable it using the Control Panel flow.
The configuration step shows a table summarizing where log access is resolved for the resource:
| Column | Meaning |
|---|---|
| Current project | The project that currently contains the resource. Shows Enabled or Not configured. |
| Attributed project | The project the resource is attributed to for log access — the project the resource first emitted telemetry under. Shown only when it differs from the current project. Shows Enabled or Not configured. |
| Resource override | A resource-level override, shown when one is active or when a project has log access disabled. Shows Enabled, Disabled, or Not configured. |

A source executor is attributed to a project for log access purposes. By default, the attributed project is the project where the source executor was located when it first wrote a log. If a resource is moved after writing its first log, the current project and the attributed project differ, and log access is enforced against both.
When the two projects differ, an administrator can re-point attribution to the current project: hover over the previous project's status tag and select Clear and inherit.

You can manage an action at the project level only after migrating it to Ontology project-based permissions. Actions still managed by legacy Ontology permissions must first be migrated to project-based permissions. Once an action is migrated, an administrator updates its project attribution by clearing the legacy Ontology resource identifier.
For an action on legacy Ontology permissions, the configuration step offers two paths: migrate the action to a project (recommended), or configure a resource override. The action's Ontology resource identifier appears in place of the project; administrators cannot enable it and have no access to it through Foundry's project and file system.
Until the action is migrated, you can enable log access by activating a resource override and applying the Required markings that viewers must hold to read the resource's logs. The markings are applied to the logs on top of any markings already present on the resource and project log settings.
Logs may include sensitive information from accessed objects or data. Security markings present on this data are not automatically propagated to the logs and must be manually applied.

Disabled resource overrides are deprecated. If the table shows a disabled override, remove it and rely on the project-level policy; the dialog blocks Next until you do.
After configuring the policy, select Next to continue to the acknowledgment step.
Before changes take effect, you must select an acknowledgment checkbox confirming the security trade-off. When enabling an override, you confirm that sensitive object data may be logged and that you applied the correct markings. When clearing an override, you confirm that the resource reverts to project-level log visibility. After selecting the checkbox, choose Apply Changes to save.

Users with the Information security officer or Enrollment administrator role can delete logs at any time. From the Run history or Log search panel in Workflow Lineage, select Edit permissions > Delete log history > Delete logs.
Log history deletion is irreversible and will permanently delete all logs for executions originating from this resource.
