diff --git a/app/vmagent/main.go b/app/vmagent/main.go
index 291eea7f17..af1de694d6 100644
--- a/app/vmagent/main.go
+++ b/app/vmagent/main.go
@@ -61,6 +61,7 @@ func main() {
 	flag.CommandLine.SetOutput(os.Stdout)
 	flag.Usage = usage
 	envflag.Parse()
+	remotewrite.InitSecretFlags()
 	buildinfo.Init()
 	logger.Init()
 	cgroup.UpdateGOMAXPROCSToCPUQuota()
diff --git a/app/vmagent/remotewrite/remotewrite.go b/app/vmagent/remotewrite/remotewrite.go
index 9b05b43418..93a146f097 100644
--- a/app/vmagent/remotewrite/remotewrite.go
+++ b/app/vmagent/remotewrite/remotewrite.go
@@ -45,6 +45,14 @@ var allRelabelConfigs atomic.Value
 // since it may lead to high memory usage due to big number of buffers.
 var maxQueues = runtime.GOMAXPROCS(-1) * 4
 
+// InitSecretFlags must be called after flag.Parse and before any logging.
+func InitSecretFlags() {
+	if !*showRemoteWriteURL {
+		// remoteWrite.url can contain authentication codes, so hide it at `/metrics` output.
+		flagutil.RegisterSecretFlag("remoteWrite.url")
+	}
+}
+
 // Init initializes remotewrite.
 //
 // It must be called after flag.Parse().
@@ -60,10 +68,6 @@ func Init() {
 	if *queues <= 0 {
 		*queues = 1
 	}
-	if !*showRemoteWriteURL {
-		// remoteWrite.url can contain authentication codes, so hide it at `/metrics` output.
-		flagutil.RegisterSecretFlag("remoteWrite.url")
-	}
 	initLabelsGlobal()
 	rcs, err := loadRelabelConfigs()
 	if err != nil {
diff --git a/lib/logger/flag.go b/lib/logger/flag.go
index 43fcdcc4a9..5a9d09774d 100644
--- a/lib/logger/flag.go
+++ b/lib/logger/flag.go
@@ -15,7 +15,6 @@ func logAllFlags() {
 		lname := strings.ToLower(f.Name)
 		value := f.Value.String()
 		if flagutil.IsSecretFlag(lname) {
-			// Do not expose passwords and keys to prometheus.
 			value = "secret"
 		}
 		Infof("flag %q = %q", f.Name, value)