Sign in Subscribe
Concepts

Masking PII in Production Logs with Shell Scripting

Andrios Robert

1 min read

Personal Identifiable Information (PII) in production logs is a liability. It brings compliance risks, security gaps, and exposes trust to a single crash dump. The fix is not complex: detect and mask PII before it ever leaves your application. For teams running Linux or Unix systems, shell scripting makes this fast and repeatable.

Why mask PII in production logs
Logs often capture raw data from APIs, databases, and form submissions. Names, phone numbers, credit card details — all of these can end up written plainly. Regulations like GDPR and CCPA require you to protect that data. The simplest enforcement method is to scrub logs automatically, at the system level, before they are stored, shipped, or analyzed.

Shell scripting approach
Shell scripts run quickly and can process large log files without loading them into memory-heavy tools. Combined with standard utilities like grep, awk, and sed, they give you precise control over what patterns to detect and how to replace them. Use regex to target PII patterns:

#!/bin/bash
LOG_FILE="/var/log/app.log"
MASKED_FILE="/var/log/app_masked.log"

sed -E \
 -e 's/[0-9]{16}/[MASKED_CC]/g' \
 -e 's/[0-9]{3}-[0-9]{2}-[0-9]{4}/[MASKED_SSN]/g' \
 -e 's/[A-Za-z]+@[A-Za-z]+\.[A-Za-z]+/[MASKED_EMAIL]/g' \
 "$LOG_FILE"> "$MASKED_FILE"

This script masks credit card numbers, Social Security numbers, and email addresses. You can expand patterns to include postal codes or phone numbers. Run it as a cron job to ensure logs are sanitized continuously.

Performance and safety
Keep masking scripts lightweight to avoid slowing log ingestion. Test your regex patterns on sample logs before adding them to production. Store masked logs in a separate location so you can monitor output without risking exposure. Avoid over-masking; make sure essential operational data remains intact.

Integrate masking into the pipeline
Place your masking step directly after log generation, before compression or forwarding to a centralized system. If you use tools like syslog or fluentd, configure them to run the script inline. This keeps PII out of external systems entirely. Auditors will see masked data, not raw identifiers.

Masking PII in production logs with shell scripting is a straightforward defense against data leaks. It is fast to build, easy to maintain, and pays off the moment an incident occurs.

Run full PII masking without touching your core app code. See it live in minutes at hoop.dev.