Output masking
Mask rules redact patterns from session logs — passwords echoed during a config push, SNMP communities, keys, and the like — so transcripts are safe to keep and share.
Where masking lives
Section titled “Where masking lives”Open the Logs view from the activity rail. It has two tabs:
- Configs — your session-logging setups.
- Masking — your mask rules.
Rule scope
Section titled “Rule scope”Each rule is a regular expression, applied at one of two scopes:
- Global — applied to every session log.
- Per-config — applied only to logs written by a specific logging config.
Use global rules for universal secrets (e.g. anything that looks like a password prompt echo); use per-config rules when a pattern only makes sense for certain devices.
Tips for writing rules
Section titled “Tips for writing rules”- Anchor to context, not just the secret, so you don’t over-redact — e.g. match
password 7 \S+rather than every digit string. - Test against a real transcript in the log viewer after enabling a rule.
- Masking happens as lines are written, so it protects logs from the moment the rule is active — it does not retroactively edit logs captured earlier.
