The logs told the truth, but only if you knew how to make OPA speak.

Open Policy Agent (OPA) can enforce rules across APIs, microservices, and infrastructure. When policies fail or produce unexpected results, debug logging is the fastest way to find out why. By default, OPA keeps logs concise. To see detailed evaluations, you must enable debug logging access.

Start OPA with the --log-level=debug flag. This unlocks step-by-step traces of policy decisions. If you run OPA as a binary, the command looks like:

opa run --server --log-level=debug

For containerized environments, set the same flag in your docker run or Kubernetes manifest. Example deployment in Kubernetes:

args:
 - "run"
 - "--server"
 - "--log-level=debug"

With debug logging enabled, each request shows input data, matched rules, and evaluation paths. This includes information about partial evaluation, data cache hits, and rule retractions. These details let you isolate logic errors in Rego, confirm data flow, and verify authorization outcomes.

To narrow results, combine debug logging with OPA’s decision logs. Configure them in config.yaml to push structured decision events to a service like stdout, S3, or a log management platform. This way you can correlate high-volume audit records with deep debug traces when troubleshooting.

Remember to turn off debug logging in production unless you are actively investigating an issue. Verbose logs can contain sensitive data and may impact performance.

Strong policy enforcement depends on trust in the system’s decisions. Debug logging in Open Policy Agent gives you visibility into that decision-making process without guesswork.

See how fine-grained OPA observability works in practice—spin it up on hoop.dev and watch live debug logs in minutes.