Redact IP Addresses from Logs
Detect and redact IPv4 and IPv6 addresses from server logs, firewall rules, and network diagnostics. Protect infrastructure details and user privacy in shared documents.
Detailed Explanation
Redacting IP Addresses
IP addresses reveal infrastructure topology and user identity. Under GDPR and similar regulations, IP addresses are considered personal data when they can be linked to an individual. Redacting IPs from shared logs protects both your infrastructure and your users.
IPv4 Detection
IPv4 addresses follow a well-known dotted-decimal format:
\b(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\b
This validates that each octet is between 0 and 255, avoiding false matches on version numbers like 1.2.3.4567.
IPv6 Detection
IPv6 addresses are more complex due to abbreviated forms:
Full: 2001:0db8:85a3:0000:0000:8a2e:0370:7334
Compressed: 2001:db8:85a3::8a2e:370:7334
Loopback: ::1
Where IP Addresses Appear
- Web server logs — Every HTTP request includes the client IP
- Firewall and security logs — Source and destination IPs for every connection
- Application error logs — Client IP in request context
- SSH logs — Login attempts with source IP
- DNS query logs — Resolver and client addresses
- Load balancer configs — Backend server addresses
# Before redaction
192.168.1.50 - - [15/Jan/2024:10:23:45 +0000] "GET /api/users HTTP/1.1" 200 1234
Blocked connection from 203.0.113.42 to 10.0.0.5:5432
SSH login failed for root from 198.51.100.23
# After redaction
[REDACTED_IP] - - [15/Jan/2024:10:23:45 +0000] "GET /api/users HTTP/1.1" 200 1234
Blocked connection from [REDACTED_IP] to [REDACTED_IP]:5432
SSH login failed for root from [REDACTED_IP]
Private vs. Public IP Considerations
Some teams prefer to redact only public IP addresses while preserving private ranges (10.x.x.x, 172.16-31.x.x, 192.168.x.x) for debugging. Others redact all IPs uniformly to prevent infrastructure mapping. The appropriate strategy depends on your security requirements and who will see the redacted output.
CIDR Notation
IP ranges in CIDR notation (10.0.0.0/8, 192.168.1.0/24) should also be detected and redacted when they appear in network configuration that you plan to share externally.
Use Case
A security analyst is writing an incident report about a DDoS attack and needs to share server logs with an external security consultant. The logs contain internal server IPs that reveal the network architecture. The Secret Redactor strips all IP addresses from the logs, allowing the analyst to share timing and request pattern data without exposing the internal network topology.