Every autonomous agent you deploy makes dozens of micro-decisions per task — which tool to call, how to interpret a result, whether to retry or escalate. Without structured observability, those decisions happen inside a black box. When something goes wrong (and it will), you're left guessing.
AI agent observability isn't a luxury for enterprise teams with dedicated platform engineers. It's a baseline practice for any team running agents in production. The good news: a small team can build genuinely useful logging, tracing, and audit infrastructure in a weekend using nothing more than structured files, a correlation ID convention, and a weekly review habit.
This guide walks you through exactly what to capture, how to structure it, where to store it, and how to turn raw logs into actionable debugging sessions — without buying an observability platform you'll never configure.
Why AI Agent Observability Differs from Traditional App Monitoring
Traditional application observability (think Datadog, Grafana, or even plain journald) assumes deterministic code: same input → same output, predictable call graphs, well-defined error codes. LLM-powered agents break every one of those assumptions.
Non-determinism. The same prompt can produce different completions across runs. A failure on Tuesday might not reproduce on Wednesday. You need to log the *exact* input and output, not just "an error occurred."
Tool-calling chains. Modern agents don't just generate text — they read files, query databases, call APIs, browse websites. A single task might involve 8–15 tool invocations across multiple model turns. Traditional request/response logging captures the outer wrapper but misses the internal execution tree entirely.
Cost is opaque. Every token has a price. A single agent run that loops unexpectedly can burn $2–$5 before anyone notices. Observability for agents must include cost tracking at the task level, not just at the monthly billing summary.
Semantic failures. An agent can return a technically valid response — no error code, no exception — that's factually wrong or tone-deaf. Detecting this requires logging the full output and reviewing it periodically, which is a workflow traditional monitoring never had to solve.
Correlation ID — A unique identifier (typically a UUID) generated at the start of an agent task and propagated into every sub-request, tool call, and retry. It lets you reconstruct the full execution tree from scattered log entries, even in distributed or multi-agent systems.
What to Log: A Practical Schema for Every Agent Run
Don't over-engineer your first iteration. Start with a single JSON-lines file (one JSON object per line) per agent per day. Every log entry should contain these fields:
Required fields for every event
{
"ts": "2026-07-09T14:23:01.337Z",
"correlation_id": "a1b2c3d4-...",
"agent": "researcher",
"event": "model_call | tool_call | tool_result | error | task_complete",
"status": "ok | error | timeout | retry",
"input_summary": "first 200 chars of prompt or tool input",
"output_summary": "first 200 chars of response or tool output",
"model": "claude-sonnet-4-20250514",
"tokens_in": 1240,
"tokens_out": 830,
"cost_usd": 0.0041,
"latency_ms": 2340,
"tool_name": "web_search | null",
"error_detail": "timeout after 30s | null"
}
Why these specific fields
correlation_idis the spine of your trace. Generate it once at task start; pass it into every child call. Without it, reconstructing a multi-step run is impossible.input_summaryandoutput_summarygive you enough context for triage without storing full payloads (which can be enormous). Store full payloads separately if you need replay capability — but summaries are what you'll scan daily.cost_usdshould be computed in real time using the provider's published per-token pricing. Even a rough estimate is better than blind spending.error_detailon success events should benull. On failures, capture the provider's error message *and* your internal classification (e.g.,context_length_exceeded,tool_timeout,safety_filter).
What NOT to log in the main stream
- Full conversation history on every event (redundant; log it once per
task_completeevent). - Embedding vectors (they're large and rarely useful for debugging).
- PII from end users without a separate redaction step.
Tracing Multi-Step Agent Execution
A single "write a blog post" task might involve: planning → outline generation → web research (3–5 tool calls) → drafting → self-review → revision → formatting. That's 10–20 model turns and 5–10 tool calls.
To trace this meaningfully, adopt a span model inspired by distributed tracing (OpenTelemetry, Jaeger):
Task: a1b2c3d4
├── Span 1: plan_outline [model_call, 1.2s, $0.003]
├── Span 2: web_research
│ ├── Span 2.1: search("topic") [tool_call, 0.8s]
│ ├── Span 2.2: fetch(url_1) [tool_call, 1.1s]
│ ├── Span 2.3: fetch(url_2) [tool_call, 0.9s]
│ └── Span 2.4: summarise [model_call, 2.3s, $0.005]
├── Span 3: draft_sections [model_call, 4.1s, $0.012]
├── Span 4: self_review [model_call, 1.8s, $0.004]
└── Span 5: format_output [model_call, 0.6s, $0.001]
Each span is a log entry with two additional fields: span_id and parent_span_id. This lets you reconstruct the tree from a flat log file using a simple script — no distributed tracing infrastructure required.
Concrete implementation tip: When your agent code calls a tool, generate a new span_id, set parent_span_id to the current span, and log the tool_call event. When the tool returns, log a tool_result event with the same span_id. This two-event pattern gives you latency *and* the tool's output in your trace.
Reviewing Failures: The Weekly Audit Workflow
Logging is worthless without review. Here's a lightweight process that takes 30–60 minutes per week and catches the vast majority of problems:
Step 1: Filter for errors (10 minutes)
Query your logs for all events where status is error, timeout, or retry. Group by correlation_id so you see complete failed tasks, not individual broken events. For each failed task:
1. Read the error_detail field to classify the failure (provider error, tool timeout, content filter, context overflow). 2. Check the input_summary of the failing span to see what the agent was trying to do. 3. Decide: is this a systemic issue (reproducible, needs code fix) or a stochastic issue (one-off, just log and move on)?
Step 2: Scan cost outliers (10 minutes)
Sort all task_complete events by cost_usd descending. Any task that costs 5× your median task cost is a candidate for investigation. Common causes:
- Retry loops. The agent kept failing a tool call and retrying without backoff.
- Context window bloat. Accumulated conversation history pushed token counts to the maximum on every turn.
- Stuck planning. The agent kept generating plans without acting — a common failure mode in autonomous workflows.
Step 3: Sample quality (20 minutes)
Pull 3–5 random task_complete events. Read the output_summary (or full output if stored). Ask:
- Is the output factually correct?
- Is it in the right tone and format?
- Did the agent follow the instructions, or did it go off-script?
This step catches "technically successful but semantically wrong" outputs that error codes will never flag. It's the most time-consuming part of the review — and the most valuable.
Step 4: Update your prompt templates
Every failure classification should feed back into your agent's system prompt or tool configuration. If you see three tool_timeout errors from the same external API, either increase the timeout, add a fallback, or tell the agent to handle the failure gracefully. Observability without iteration is just hoarding data.
Audit Trails: Compliance, Accountability, and Evidence
For regulated industries — healthcare, finance, legal — audit trails aren't optional. Even outside regulation, audit trails protect you when a client asks "why did the AI do that?"
A minimal AI agent audit trail needs:
| Requirement | What to capture | Retention |
|---|---|---|
| Who triggered it | User ID or API key that initiated the task | Duration of contract + 1 year |
| What it was asked to do | Full prompt (system + user), redacted for PII if needed | Same |
| What it did | All tool calls with full inputs and outputs | Same |
| What it produced | Final output, stored as a separate artifact | Same |
| What model was used | Model name, provider, temperature, and other generation params | Same |
| Cost and tokens | Per-task token counts and computed cost | Same |
Keeping audit evidence under your control. When agents run on a third-party SaaS platform, your logs and execution traces live on *their* infrastructure — subject to their retention policies, their access controls, and their subpoena exposure. With a self-hosted setup (for example, a self-hosted AI team running in Docker on your own VPS), every log line stays on your disk. You set retention. You control access. You decide when to delete. For small teams in regulated industries — or any team that simply doesn't want their agent's internal reasoning sitting on someone else's server — this is the single biggest architectural decision you can make for audit compliance.
Get OfficeForge — $199Tooling: What You Actually Need (and What You Don't)
You don't need Datadog. You don't even need Langfuse on day one. Here's a tiered approach:
Tier 0: Structured JSON files + grep (day one)
- Log to
/var/log/agents/{agent_name}/{date}.jsonl - Review with
jq:jq 'select(.status == "error")' researcher/2026-07-09.jsonl - Aggregate weekly cost:
jq -s 'map(.cost_usd) | add' researcher/2026-07-*.jsonl
This is enough for a team of 1–3 people running fewer than 50 tasks per day.
Tier 1: SQLite or DuckDB + a simple dashboard (week two)
- Ingest JSONL into a local database with a nightly cron job
- Build SQL queries for your weekly review (top errors, cost outliers, latency percentiles)
- Serve a basic HTML dashboard with a lightweight framework (Streamlit, Evidence, or even a static site generated from queries)
Tier 2: Open-source observability (month two+)
- Langfuse — purpose-built for LLM observability; traces, cost tracking, prompt versioning; self-hostable.
- Phoenix (Arize) — focused on evaluation and embedding analysis; useful if you care about output quality metrics.
- Helicone — proxy-based logging; sits between your code and the LLM provider; easy drop-in.
The key principle: start with files, graduate to tooling when the pain of manual review exceeds the effort of setup. Don't let tooling selection block you from logging today.
Common Pitfalls and How to Avoid Them
Logging only errors. If you only capture failures, you can't compute cost baselines, latency percentiles, or quality trends. Log every event; filter at query time.
Storing full payloads in the main log. A single model response can be 50 KB. Over a week, that balloons quickly. Store summaries in the main log, full payloads in a separate object store or file with a reference ID.
No propagation of correlation IDs into tool calls. This is the #1 reason teams can't trace multi-step runs. Every tool call wrapper must accept and forward the correlation ID. If you're using an agent framework, check whether it does this automatically — many don't.
Ignoring cost until the bill arrives. Compute cost per event, in real time. Even a ±20% estimate is infinitely more useful than a monthly surprise.
Reviewing logs but not changing anything. Observability without action is just surveillance. Every review cycle should produce at least one concrete change: a prompt update, a timeout adjustment, a retry policy change, or a decision to accept a known behaviour as-is.
A Checklist You Can Implement This Week
1. Add a correlation ID to every task initiation (UUID v4). 2. Wrap every model call to log ts, correlation_id, model, tokens_in, tokens_out, latency_ms, cost_usd, status. 3. Wrap every tool call to log tool_name, input_summary, output_summary, latency_ms, error_detail. 4. Log a task_complete event at the end of every run with total cost, total tokens, final status, and output summary. 5. Write logs as JSONL to a date-partitioned directory. 6. Schedule a 30-minute weekly review on your calendar. Use the four-step workflow above. 7. After one month, evaluate whether manual review is painful enough to justify setting up Langfuse or a database-backed dashboard.
The barrier to AI agent observability isn't tooling or budget — it's habit. Start logging today, even imperfectly. You can refine the schema next week. What you can't do is reconstruct last Tuesday's agent decision chain from a cloud provider's billing summary.
Teams that self-host their agents — whether through a platform like OfficeForge or a custom stack — have a natural advantage here: the logs are already on their infrastructure, the execution context is local, and there's no vendor-controlled abstraction layer between the team and the evidence. Whatever approach you take, make observability a first-class concern from day one, not an afterthought triggered by the first mysterious $200 bill.
FAQ
What is AI agent observability?
AI agent observability is the practice of capturing structured logs, execution traces, and decision records from autonomous AI agents so teams can debug failures, audit behaviour, and prove compliance — similar to traditional application observability but adapted for non-deterministic LLM workflows.
What should I log from every agent run?
At minimum: the prompt (system + user), the raw model response, tool calls with inputs and outputs, token usage, latency, cost, and any retry or error events. Structured JSON with timestamps and correlation IDs is the baseline format.
How do I trace multi-step agent chains?
Assign a correlation ID at the start of a task and propagate it through every sub-call, tool invocation, and retry. Use span-style nesting so you can reconstruct the full execution tree and identify exactly which step failed or drifted.
Why does self-hosting matter for AI audit trails?
When agents run on your own infrastructure, logs never transit a third-party SaaS vendor's servers. You control retention, access, and deletion policies — critical for regulated industries (legal, healthcare, finance) and for maintaining attorney-client or patient privilege.
How do I review agent failures efficiently?
Build a lightweight dashboard or use a log viewer that filters by status code, cost anomalies, and token spikes. Start every review session by scanning errors, then cost outliers, then semantic quality samples — never attempt to read every log line.
Can I do AI agent observability without expensive tooling?
Yes. A structured JSON log file per run, a weekly grep-and-review script, and a simple SQLite or DuckDB table for aggregation cover 90 % of a small team's needs. Open-source tools like Langfuse or Phoenix add dashboards on top of that foundation.
