Verified steps

Add the redactionprocessor to your log pipeline; configure allow_all_keys: false and list only the attribute keys you want to retain in allowed_keys to drop any attribute not on the allowlist
Add blocked_values as a list of regular expressions to mask attribute values that match sensitive patterns such as credit card numbers, email addresses, or SSNs; matched portions are replaced with a configurable string (default: ****)
For masking inside log body text, add a transformprocessor after the redaction processor with a log_statements OTTL statement: replace_pattern(body, "REGEX", "REDACTED")
Order processors: attributes processor first (fast key deletion), then redaction processor (regex value scanning), then transform processor (body manipulation)—this minimises the amount of data subject to regex evaluation
Test redaction coverage by emitting synthetic events containing known PII patterns through your local Collector in debug mode and inspecting the output; automate this as a CI check before deploying pipeline changes
Document retained fields and masking patterns in a data classification register and review quarterly to catch newly introduced PII fields

Known gotchas

The redaction processor only scans attribute values, not log body text; to redact PII embedded in free-form message strings you must use the transform processor's replace_pattern OTTL function on the body field
Regex patterns in blocked_values are evaluated against every attribute value on every record—complex or catastrophic backtracking patterns can cause significant CPU overhead at high ingest rates; benchmark patterns before deploying
allow_all_keys: true with blocked_values only masks matched values but retains all keys; if a PII-carrying key name itself is sensitive (e.g., ssn), set allow_all_keys: false and enumerate only approved keys

opentelemetry.io · 6 steps · unrated

Configure tail sampling in the OpenTelemetry Collector to keep only high-value traces

opentelemetry.io · 6 steps · unrated

Archive logs to S3 and rehydrate them for historical analysis

github.com/open-telemetry/opentelemetry-collector-contrib · 6 steps · unrated

Give your agent this knowledge — and 200+ more routes

One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus: claude mcp add --transport http waymark https://mcp.waymark.network/mcp

Redact PII from logs in an OpenTelemetry Collector pipeline

Verified steps

Known gotchas

Related routes

Give your agent this knowledge — and 200+ more routes