BizFirst Observe
OTel Collector Redaction
The OpenTelemetry Collector's redaction processor acts as a central security checkpoint for all telemetry passing through — logs, spans, and metrics. It can block entire attribute keys, mask attribute values matching patterns, and drop telemetry records that contain forbidden content.
Redaction Processor Configuration
# otel-collector-config.yaml
processors:
# Redaction processor — masks sensitive span and log attributes
redaction:
# Block these attribute keys entirely (value replaced with empty string):
blocked_values:
- "http.request.header.authorization"
- "http.request.header.x-api-key"
- "db.statement" # SQL queries may contain PII
- "url.full" # URLs may contain tokens in query params
# Allow only these attribute keys (everything else is dropped):
# Use 'allow_all_keys: true' if you want to mask specific values instead
allow_all_keys: true
# Mask values matching these regex patterns:
blocked_values_patterns:
# Password patterns
- "password[^&=]*=[^&]*"
# Bearer tokens
- "bearer [a-zA-Z0-9._-]{20,}"
# AWS access keys
- "AKIA[0-9A-Z]{16}"
# Credit cards (simplified)
- "\\b[0-9]{4}[- ]?[0-9]{4}[- ]?[0-9]{4}[- ]?[0-9]{4}\\b"
# SSN
- "\\b[0-9]{3}-[0-9]{2}-[0-9]{4}\\b"Transform Processor for Log Body Redaction
# The redaction processor works on span/log attributes.
# To redact content in the log BODY (the message text itself), use the transform processor:
processors:
transform/redact-log-body:
log_statements:
- context: log
statements:
# Replace password values in log body JSON:
- replace_pattern(body, "\"password\":\\s*\"[^\"]+\"", "\"password\":\"[REDACTED]\"")
# Replace credit card patterns:
- replace_pattern(body, "\\b[0-9]{4}[- ]?[0-9]{4}[- ]?[0-9]{4}[- ]?[0-9]{4}\\b", "[CC-REDACTED]")
# Replace SSN patterns:
- replace_pattern(body, "\\b[0-9]{3}-[0-9]{2}-[0-9]{4}\\b", "[SSN-REDACTED]")Pipeline Configuration with Redaction
# otel-collector-config.yaml — complete pipeline with redaction
service:
pipelines:
logs:
receivers: [otlp]
processors:
- memory_limiter
- batch
- transform/redact-log-body # Redact log body content
- redaction # Redact span/log attributes
- resource/add-bizfirst-labels # Add Loki labels
exporters: [loki]
traces:
receivers: [otlp]
processors:
- memory_limiter
- batch
- redaction # Redact trace span attributes
- tail_sampling
exporters: [otlp/tempo]
metrics:
receivers: [otlp, prometheus]
processors:
- memory_limiter
- batch
# No redaction needed for metrics — labels should never contain PII
# (enforced by label hygiene policy — see Label Hygiene page)
exporters: [prometheusremotewrite]Testing Redaction Effectiveness
# Send a test span with known-sensitive attributes to verify redaction:
# Use the OTel Collector's debug exporter to inspect what reaches the backend.
# In otel-collector-config.yaml (temporarily add during testing):
exporters:
debug:
verbosity: detailed
service:
pipelines:
traces/test:
receivers: [otlp]
processors: [redaction]
exporters: [debug] # Output redacted spans to collector logs
# Check collector output for the test span:
docker compose logs otel-collector | grep "http.request.header.authorization"
# Expected: no output (attribute should be blocked)
# If the attribute appears: the redaction rule is not matching
Redaction Is Not Encryption
The redaction processor replaces sensitive values with placeholder text — it does not encrypt or hash them. The original values are permanently discarded. If you need to preserve sensitive data in an encrypted form for audit purposes, that must be done in a separate secure audit system — not in Loki or Tempo.