How to Mask Sensitive Data in a Log File in Batch Script
Handling logs that contain sensitive information, such as plain-text passwords, Social Security Numbers (SSNs), or credit card details, poses a significant security risk. If you need to share a log file with a support team or archive it on a shared drive, you must mask (obfuscate) this data. Replacing sensitive strings with [REDACTED] or **** ensures that your logs remain useful for troubleshooting without violating privacy or compliance standards (like GDPR or PCI-DSS).
In this guide, we will demonstrate how to perform pattern-based redaction using Batch and PowerShell.
Method 1: Literal Password Masking (Batch)
If your logs follow a consistent "Key=Value" format (e.g., pass=12345), you can search for that key and replace the entire value portion of the line.
This method performs a case-insensitive literal string match. It works best when your log format is predictable and the sensitive key name is consistent.
Implementation Script
@echo off
setlocal enabledelayedexpansion
set "Source=system.log"
set "Dest=redacted_system.log"
set "SecretKey=pass="
if not exist "%Source%" (
echo [ERROR] Source file "%Source%" not found.
pause
exit /b 1
)
echo Scrubbing secrets from %Source%...
(
for /f "usebackq tokens=* delims=" %%A in ("%Source%") do (
set "line=%%A"
:: Convert to lowercase for case-insensitive comparison
set "check=!line!"
if /I not "!check:%SecretKey%=!"=="!check!" (
:: Line contains the secret key - redact everything after it
for /f "tokens=1 delims==" %%K in ("!line!") do (
echo %%K=[REDACTED]
)
) else (
echo(!line!
)
)
) > "%Dest%"
echo [DONE] Masked log saved to %Dest%.
endlocal
pause
Example of system.log:
[2026-04-09 09:00:01] INFO User login attempt: user=alice
[2026-04-09 09:00:02] INFO Authentication success: user=alice
[2026-04-09 09:00:05] INFO Database connection established
[2026-04-09 09:01:12] WARNING Failed login attempt: user=bob
[2026-04-09 09:02:33] INFO Updating configuration: pass=SuperSecret123
[2026-04-09 09:03:45] INFO Scheduled job executed successfully
[2026-04-09 09:04:50] ERROR Connection timeout to server
[2026-04-09 09:05:12] INFO New user registration: user=charlie pass=TopSecret!
[2026-04-09 09:06:00] INFO System shutdown initiated
Example of corresponding redacted_system.log:
[2026-04-09 09:00:01] INFO User login attempt: user=alice
[2026-04-09 09:00:02] INFO Authentication success: user=alice
[2026-04-09 09:00:05] INFO Database connection established
[2026-04-09 09:01:12] WARNING Failed login attempt: user=bob
[2026-04-09 09:02:33] INFO Updating configuration: pass=[REDACTED]
[2026-04-09 09:03:45] INFO Scheduled job executed successfully
[2026-04-09 09:04:50] ERROR Connection timeout to server
[2026-04-09 09:05:12] INFO New user registration: user=[REDACTED]
[2026-04-09 09:06:00] INFO System shutdown initiated
Method 2: Pattern-Based Masking (PowerShell Bridge)
Native Batch struggles with "Dynamic" data like SSNs or random passwords. Matching a pattern (like XXX-XX-XXXX) is much easier with the PowerShell regex -replace operator.
This method uses regex lookbehinds and digit patterns to surgically replace only the sensitive values while preserving the rest of each log line intact.
Implementation Script
@echo off
setlocal
set "Source=client_data.log"
set "Output=safe_data.txt"
if not exist "%Source%" (
echo [ERROR] Source file "%Source%" not found.
pause
exit /b 1
)
echo Redacting SSNs and Credit Cards...
:: Regex for SSN: \d{3}-\d{2}-\d{4}
:: Regex for passwords after "password:" or "password=": (?<=password[:=]).+
powershell -NoProfile -Command ^
"(Get-Content -Path '%Source%') " ^
"-replace '\d{3}-\d{2}-\d{4}', '[REDACTED_SSN]' " ^
"-replace '(?i)(?<=password[:=]).+', ' ****' " ^
"| Set-Content -Path '%Output%'"
echo [DONE] Sanitized log saved to %Output%.
endlocal
pause
Example of client_data.log:
2026-04-09 08:15:22 INFO User signup: name=Alice ssn=123-45-6789 email=alice@example.com password=AlicePass123
2026-04-09 08:20:10 INFO User login: name=Bob ssn=987-65-4321 password=BobSecret!
2026-04-09 08:25:45 INFO Payment processed: user=Charlie card=4111-1111-1111-1111
2026-04-09 08:30:00 INFO Password reset requested: user=David password:NewPass456
2026-04-09 08:35:15 INFO Admin login: name=Eve
Example of corresponding safe_data.txt:
2026-04-09 08:15:22 INFO User signup: name=Alice ssn=[REDACTED_SSN] email=alice@example.com password= ****
2026-04-09 08:20:10 INFO User login: name=Bob ssn=[REDACTED_SSN] password= ****
2026-04-09 08:25:45 INFO Payment processed: user=Charlie card=4111-1111-1111-1111
2026-04-09 08:30:00 INFO Password reset requested: user=David password: ****
2026-04-09 08:35:15 INFO Admin login: name=Eve
Why Mask Sensitive Data?
- Security Compliance: Meeting mandatory regulatory requirements that forbid storing PII (Personally Identifiable Information) in plain text.
- Access Control: Allowing junior administrators to review logs for "Error Codes" without giving them access to the "Credit Card Numbers" processed in those same transactions.
- Audit Trails: Maintaining a history of events while stripping out the one-time-passwords (OTPs) that are no longer valid.
Best Practices
Never overwrite your original log file. Always write the redacted output to a separate file so the raw data remains available in a secure location if a deep-forensics audit is required.
- Don't Over-Redact: If you redact every instance of a number, your logs may become impossible to read. Only target specific patterns.
- Verify the Redaction: Always run a
findstron your "Sanitized" file for the original sensitive keywords to ensure the script didn't miss anything. - Original Integrity: Never overwrite your original log. Always create a separate "Redacted" version so you have the raw data available in a secure location if a deep-forensics audit is required.
Conclusion
Masking sensitive data is a critical responsibility for any systems administrator. By automating the redaction of passwords and identifiers before log files are shared or archived, you significantly reduce your organization's security vulnerability. Whether you use simple key-replacement in Batch or powerful regex-swapping in PowerShell, these sanitization scripts are the first line of defense in maintaining a secure and compliant IT environment.