LogFlow

PII Masking

Automatically redact personally identifiable information from log messages at ingestion time.

Enabling PII masking

Go to Settings → General and toggle PII Masking on. It applies to all new logs ingested for that project — existing logs are not modified.

What gets masked

  • [email] — email addresses (e.g. user@example.com)
  • [phone] — US/international phone numbers
  • [card] — 16-digit credit card numbers (with or without dashes/spaces)
  • [ssn] — US Social Security Numbers (XXX-XX-XXXX)
  • [ip] — public IPv4 addresses (private ranges like 10.x, 192.168.x are kept)

Example

text
# Before masking:
User john@example.com paid with card 4111-1111-1111-1111 from 45.33.32.156

# After masking:
User [email] paid with card [card] from [ip]
⚠️
PII masking is applied to the message field and all values in attributes. Attribute keys are not masked.

Limitations

  • Masking is regex-based — unusual formats may not be detected
  • Does not mask structured JSON inside message strings
  • Cannot be applied retroactively to existing logs