Comment by michaelt

Well, there should only be a few people with the access needed to discover logging is happening. Just put the logging configuration in whatever secure configuration management tool is storing your TLS keys and suchlike.

Make it look like an accidental misconfiguration and if an insider who isn't an NSA mole does somehow discover the logging, there's a fair chance they'll turn a blind eye anyway. After all, if you work at a VPN, publicly outing your employer for logging will tank the business, then you and your colleagues will all be out of a job.