Only requests that reach the forwarding stage are logged. Requests rejected earlier (malformed proxy auth, an invalid
CONNECT target, TLS failures) never reach it and aren’t logged. A request whose identity can’t be resolved at forwarding is still logged as an error, just with an empty agent.What’s in a record
Each request is logged with these fields (plus the standardtime, level, and message):
Log levels
Each decision is logged at a level, so--log-level controls how much you see: the default info hides passthrough, debug shows everything, warn shows only blocked and errors.
Output format and destination
--log-format sets the shape: console (the default — human-readable, colorized in a terminal and plain when redirected or in a container) or json for machines and SIEMs. Logs go to stderr (capture with 2> or 2>&1). --log-file also writes json to a file, so you can watch the console and persist machine-readable logs at once.
- console (human)
- json (machine)
- dynamic secret
Common setups
--log-file, use logrotate with copytruncate (or restart the proxy).
Next steps
agent-proxy CLI reference
Every flag for
start and connect, including the logging options.Audit Logs
Configuration changes to your proxied services are recorded in Infisical’s own audit trail.