Redacting Sensitive Data from Logs
When you need to share SAFE debug logs with support or a colleague, the safe redact-logs
command lets you remove sensitive information before sending the file. The original log is
never modified — a new .redacted copy is written alongside it.
Quick Start
safe redact-logs --log-file ./debug.log --paths --fingerprint
This reads ./debug.log, strips all file-system paths and project fingerprints, and writes
the result to ./debug.log.redacted.
Usage
safe redact-logs --log-file PATH
[--paths] [--system-output] [--fingerprint]
[--app-name] [--analysis]
If --log-file is omitted, SAFE checks the logger configuration for a known log location
and asks whether to use it.
Arguments
Optional:
-
--log-file PATH
Path to the SAFE debug log to process. If not provided, SAFE looks for a configured log file and prompts you to confirm. -
--paths
Redact file-system paths (project root, build artefact paths, source file locations, etc.). -
--system-output
Redact the output of external commands run during analysis (e.g.rebar3 compileoutput). -
--fingerprint
Redact project fingerprints used by the licensing system. -
--app-name
Redact OTP application names detected in your project. -
--analysis
Redact raw output from SAFE's analysis engine (may contain source-level details).
You can combine any number of flags. Only the selected categories are redacted — everything else is left intact so the log remains as useful as possible for diagnosis.
Examples
Redact paths only:
safe redact-logs --log-file ./debug.log --paths
Redact paths and fingerprints (recommended when sharing with support):
safe redact-logs --log-file ./debug.log --paths --fingerprint
Redact everything:
safe redact-logs --log-file ./debug.log --paths --system-output --fingerprint --app-name --analysis
Let SAFE detect the log file automatically:
safe redact-logs --paths --fingerprint
# SAFE log file not provided, but found one in: /var/log/safe/debug.log.
# Would you like to use it? [Yn]:
Output
A .redacted file is written next to the original:
./debug.log ← unchanged
./debug.log.redacted ← redacted copy
Each redacted value is replaced with a labelled placeholder, so you can still tell what kind of data was removed:
| Original log line | After redaction |
|---|---|
Adding file: "/home/user/project/ebin/app.beam" | Adding file: <REDACTED_PATH> |
Fingerprint: KOt0tW5Y+Ho= | Fingerprint: <REDACTED_FINGERPRINT> |
Result: "===> Compiling cowboy\n" | Result: <REDACTED_SYSTEM_OUTPUT> |
If a log line was truncated mid-tag (e.g. due to a logging limit), the placeholder is
prefixed with INTERRUPTED_ to flag the anomaly without leaking data:
Adding file: <INTERRUPTED_REDACTED_PATH>
Exit Codes
| Code | Meaning |
|---|---|
0 | Redaction completed successfully |
1 | An error occurred (invalid argument, file not found, write failure) |
Getting Help
safe redact-logs help