Skip to content

Output masking

Mask rules redact patterns from session logs — passwords echoed during a config push, SNMP communities, keys, and the like — so transcripts are safe to keep and share.

Open the Logs view from the activity rail. It has two tabs:

Each rule is a regular expression, applied at one of two scopes:

  • Global — applied to every session log.
  • Per-config — applied only to logs written by a specific logging config.

Use global rules for universal secrets (e.g. anything that looks like a password prompt echo); use per-config rules when a pattern only makes sense for certain devices.

  • Anchor to context, not just the secret, so you don’t over-redact — e.g. match password 7 \S+ rather than every digit string.
  • Test against a real transcript in the log viewer after enabling a rule.
  • Masking happens as lines are written, so it protects logs from the moment the rule is active — it does not retroactively edit logs captured earlier.