$ Linux One Liners
Back to lessons

Cybersecurity Triage

Redact Secret-Looking Log Lines

Logs may contain token, password, secret, or bearer values and you need a safer view before sharing snippets.

Command

grep -RInE '(password=|token=|secret=|Authorization: Bearer)' fixtures/incidents | awk '{gsub(/password=[^ ]+/, "password=REDACTED"); gsub(/token=[^ ]+/, "token=REDACTED"); gsub(/secret=[^ ]+/, "secret=REDACTED"); gsub(/Authorization: Bearer [A-Za-z0-9._-]+/, "Authorization: Bearer REDACTED"); print}'

What changed

Nothing changes. The command prints matching lines with secret-looking values redacted.

Danger

safe

When to use it

Use before pasting incident log snippets into tickets, chat, or reports.

When not to use it

Do not treat this as complete DLP; tune patterns for your real secret formats and still review output.

Undo or recovery

No undo needed because the command is read-only.

Expected output

Matching log lines with sensitive-looking values replaced by REDACTED.

demo script

Disposable terminal steps

  1. grep -RInE '(password=|token=|secret=|Authorization: Bearer)' fixtures/incidents
  2. grep -RInE '(password=|token=|secret=|Authorization: Bearer)' fixtures/incidents | awk '{gsub(/password=[^ ]+/, "password=REDACTED"); gsub(/token=[^ ]+/, "token=REDACTED"); gsub(/secret=[^ ]+/, "secret=REDACTED"); gsub(/Authorization: Bearer [A-Za-z0-9._-]+/, "Authorization: Bearer REDACTED"); print}'
Terminal transcript Demo JSON

simulated output

What it looks like

disposable vessel 
::fixture-ready::
$ grep -RInE '(password=|token=|secret=|Authorization: Bearer)' fixtures/incidents
fixtures/incidents/app.log:10:2026-06-25T14:07:01Z level=WARN service=api request_id=req-108 msg=token=demoTOKEN123 should_be_redacted
::exit-code::0
$ grep -RInE '(password=|token=|secret=|Authorization: Bearer)' fixtures/incidents | awk '{gsub(/password=[^ ]+/, "password=REDACTED"); gsub(/token=[^ ]+/, "token=REDACTED"); gsub(/secret=[^ ]+/, "secret=REDACTED"); gsub(/Authorization: Bearer [A-Za-z0-9._-]+/, "Authorization: Bearer REDACTED"); print}'
fixtures/incidents/app.log:10:2026-06-25T14:07:01Z level=WARN service=api request_id=req-108 msg=token=REDACTED should_be_redacted
::exit-code::0

YouTube Short

Redact before sharing logs.

Incident logs can contain tokens. Search for secret-looking fields and redact them before copying snippets into tickets or chat.

LinkedIn hook

Incident notes should not copy secrets forward.

Question: What redaction check do you run before sharing incident log snippets?

experiments

A/B tests to run

Metric: save_rate

A: Redact before sharing logs.

B: Incident notes should not spread secrets.