Skip to main content
The agent proxy logs one entry for every request it handles, in its normal log stream alongside its operational logs — nothing separate to enable. You ship that stream yourself (Infisical never stores it): point a collector like Fluent Bit or the OpenTelemetry Collector at it to forward to Splunk, Datadog, Elastic, or anywhere.
Only requests that reach the forwarding stage are logged. Requests rejected earlier (malformed proxy auth, an invalid CONNECT target, TLS failures) never reach it and aren’t logged. A request whose identity can’t be resolved at forwarding is still logged as an error, just with an empty agent.

What’s in a record

Each request is logged with these fields (plus the standard time, level, and message):
A record never contains a real secret. The proxy logs the request as the agent sent it, before the real value is swapped in, so path only ever shows the placeholder. The credentials list records secret names and where they were applied, never values, and header values and request bodies are never logged.

Log levels

Each decision is logged at a level, so --log-level controls how much you see: the default info hides passthrough, debug shows everything, warn shows only blocked and errors.

Output format and destination

--log-format sets the shape: console (the default — human-readable, colorized in a terminal and plain when redirected or in a container) or json for machines and SIEMs. Logs go to stderr (capture with 2> or 2>&1). --log-file also writes json to a file, so you can watch the console and persist machine-readable logs at once.

Common setups

For rotation, containers let the platform rotate the stream; for --log-file, use logrotate with copytruncate (or restart the proxy).

Next steps

agent-proxy CLI reference

Every flag for start and connect, including the logging options.

Audit Logs

Configuration changes to your proxied services are recorded in Infisical’s own audit trail.