docs/documentation/platform/agent-proxy/activity-logs.mdx
The agent proxy logs one entry for every request it handles, in its normal log stream alongside its operational logs — nothing separate to enable. You ship that stream yourself (Infisical never stores it): point a collector like Fluent Bit or the OpenTelemetry Collector at it to forward to Splunk, Datadog, Elastic, or anywhere.
<Note> Only requests that reach the forwarding stage are logged. Requests rejected earlier (malformed proxy auth, an invalid `CONNECT` target, TLS failures) never reach it and aren't logged. A request whose identity can't be resolved at forwarding is still logged as an `error`, just with an empty agent. </Note>Each request is logged with these fields (plus the standard time, level, and message):
| Field | Meaning |
|---|---|
event | Always agent-proxy.request, so activity is easy to filter from other logs |
decision | brokered, passthrough, blocked, or error |
agentId / agentName | The agent that made the request, read from its access token |
projectId / environment / secretPath | The folder the request was scoped to |
serviceName / serviceId | The matched proxied service (omitted when none matched) |
method / host / port / path | The request line, before substitution (so path shows the placeholder) |
status | Upstream status on brokered / passthrough; 403 on blocked; 502 on error |
credentials | What was injected: each entry's secret key (or, for a dynamic secret, its name and output field), and the header or surfaces it landed in |
Each decision is logged at a level, so --log-level controls how much you see: the default info hides passthrough, debug shows everything, warn shows only blocked and errors.
| decision | level |
|---|---|
passthrough | debug |
brokered | info |
blocked | warn |
error | error |
| Flag | Values | Default |
|---|---|---|
--log-format | console | json | console |
--log-file | file path | none |
--log-format sets the shape: console (the default — human-readable, colorized in a terminal and plain when redirected or in a container) or json for machines and SIEMs. Logs go to stderr (capture with 2> or 2>&1). --log-file also writes json to a file, so you can watch the console and persist machine-readable logs at once.
# Watch live, readable (default)
infisical secrets agent-proxy start
# Watch the console and also persist json (e.g. for a SIEM)
infisical secrets agent-proxy start --log-file /var/log/infisical/agent-proxy.log
# Container: json on stderr for your platform to collect
infisical secrets agent-proxy start --log-format json
For rotation, containers let the platform rotate the stream; for --log-file, use logrotate with copytruncate (or restart the proxy).