The Log Redaction Discipline

Logs leak secrets. The redaction layer, the test suite, and the policy that prevents 'we logged a credit card' incidents.

The redaction layer

Log redaction discipline is the practice of removing sensitive data from logs before storage. PII, credentials, and customer data should not appear in logs in clear form; the redaction layer enforces this. Without the discipline, logs become a privacy and security liability.

What the redaction layer looks like:

• Wrap the logger.: The logging library is wrapped by a redaction-aware version. Every log call goes through the wrapper; the wrapper applies redaction before the data reaches the backend.
• Every log call passes through redaction.: No log call bypasses redaction. The wrapper is the single path; consistency is enforced.
• Before the bytes hit disk.: Redaction happens before storage. The redacted version is what is written; the original sensitive data does not exist in storage.
• Pluggable rules.: Different patterns are redacted by different rules. Email addresses, SSNs, credit card numbers, OAuth tokens, API keys, customer-specific data. The rule set is extensible.
• PII patterns, credentials, customer data.: The categories are well-known. Each has its own rule; the rules' regexes catch the patterns; the redaction replaces the matches with placeholders.

The layer is the foundation. Without it, redaction is per-call discipline that fails when forgotten.

Test the redactor

The redactor is critical infrastructure; bugs in it produce real privacy violations. Testing the redactor is the discipline that catches bugs before production.

• Unit tests with sample inputs.: The redactor has unit tests. Sample inputs (containing the patterns to redact) are passed through; the output is verified to have the patterns redacted.
• Each rule has a positive test (caught).: The positive test confirms the rule catches what it should. An email address in the input produces a redacted output; the rule is working.
• And a negative test (not over-redacted).: The negative test confirms the rule does not over-redact. Text that looks similar but is not actually sensitive should pass through unchanged; the rule's specificity is verified.
• Periodic prod scan.: A scheduled job samples logs from production and scans for unredacted PII. Any matches indicate redactor bugs; remediation is immediate.
• Sample logs; check for unredacted PII.: The scan is statistical. Sampling is sufficient for detection; full scans are expensive and unnecessary.
• Anything found is a bug.: Unredacted PII in production logs is a bug to fix immediately. The investigation determines what the redactor missed; the rule is updated.

Testing is what makes the redactor trustworthy. Without testing, the team's privacy posture relies on hope.

Policy

What to redact is a policy decision. Some categories are non-negotiable; some depend on classification; the policy is documented and visible to engineers.

• What to redact is policy.: The redaction rules implement policy decisions. The policy is owned (privacy team, security team); the rules implement what the policy specifies.
• PII is non-negotiable.: Personally identifiable information is always redacted. Email addresses, SSNs, names, phone numbers all get redacted. The policy is universal.
• Customer data depends on data classification.: Some customer data is sensitive enough to redact; some is acceptable to log. The data classification system determines which; the redaction rules implement the classification.
• Document the policy.: The redaction policy is documented. The documentation lists what gets redacted, what does not, and why. Engineers reference the policy when designing logging.
• Make it visible.: The policy is part of engineering onboarding. New engineers learn it; existing engineers reference it; the team's culture includes redaction awareness.
• Engineers should know the rules without asking.: The discipline is internalized. Engineers do not ship logs that include obvious PII; they design logging to be redaction-friendly; the redactor is the safety net, not the primary line of defense.

Log redaction discipline is one of those privacy and security practices that pays off across the team's lifetime. Nova AI Ops integrates with logging platforms, supports redaction patterns, and produces the audit-ready visibility that compliance discussions reference.