Skip to content

premium: add user-controlled log redaction #22046

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 12 commits into from
Nov 13, 2025
Merged

premium: add user-controlled log redaction #22046

Show file tree
Hide file tree
Changes from 6 commits
Commits
Show all changes
12 commits
Select commit Hold shift + click to select a range
4bad1f2
Create tidb-cloud-log-redaction-premium.md
wildpcww Nov 12, 2025
09edb26
fix format
Oreoxmt Nov 12, 2025
20beaaf
TiDB Cloud {{{ .premium }}} -> {{{ .premium }}}
Oreoxmt Nov 12, 2025
0561d82
update TOC
Oreoxmt Nov 12, 2025
25244e5
Merge branch 'log-redaction' of github.com:wildpcww/docs into log-red…
Oreoxmt Nov 12, 2025
b38477c
update TiDB Instances links
Oreoxmt Nov 12, 2025
0c6ab65
update CustomContent
Oreoxmt Nov 12, 2025
7f25c45
update TOC
Oreoxmt Nov 12, 2025
c77eace
remove tidb-cloud-log-redaction-premium.md
Oreoxmt Nov 12, 2025
f307891
Update summary
lilin90 Nov 12, 2025
ee66b18
Update format
lilin90 Nov 13, 2025
38462ea
Merge branch 'release-8.5' into log-redaction
lilin90 Nov 13, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions TOC-tidb-cloud-premium.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -240,6 +240,8 @@
- [Configure an IP Access List](/tidb-cloud/premium/configure-ip-access-list-premium.md)
- [Connect via Private Endpoint with Alibaba Cloud](/tidb-cloud/set-up-private-endpoint-connections-on-alibaba-cloud.md)
- [Configure Firewall Rules for Public Endpoints](/tidb-cloud/configure-serverless-firewall-rules-for-public-endpoints.md)
- Data Access Control
- [User-Controlled Log Redaction](/tidb-cloud/premium/tidb-cloud-log-redaction-premium.md)
- Audit Management
- [Console Audit Logging](/tidb-cloud/tidb-cloud-console-auditing.md)
- Billing
Expand Down
73 changes: 73 additions & 0 deletions tidb-cloud/premium/tidb-cloud-log-redaction-premium.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,73 @@
---
title: User-Controlled Log Redaction
summary: Learn how to enable or disable user-controlled log redaction for {{{ .premium }}} instances to manage sensitive data visibility in execution logs.
---

# User-Controlled Log Redaction

User-controlled log redaction lets you manage the visibility of sensitive data in your {{{ .premium }}} instance logs. By toggling this redaction feature, you can protect your information, balance operational needs with security, and control what appears in your instance logs.

Log redaction is enabled by default, ensuring that sensitive information in running logs and execution plans is concealed. If you need more detailed log information for instance maintenance or SQL tuning, you can disable this feature at any time.

> **Note:**
>
> The log redaction feature is supported for TiDB Cloud Dedicated clusters and {{{ .premium }}} instances.

## Prerequisites

* You must be in the **Organization Owner** role of your organization in TiDB Cloud.

## Disable log redaction

> **Warning:**
>
> Disabling log redaction might expose sensitive information and increase the risk of data leakage. Ensure that you understand and acknowledge this risk before proceeding. Remember to re-enable it as soon as you complete your diagnostic or maintenance task.

To disable log redaction, do the following:

1. Log in to the [TiDB Cloud console](https://tidbcloud.com/).
2. Navigate to the [**TiDB Instances**](https://tidbcloud.com/tidbs) page, and then click the name of your target instance to go to its overview page.

> **Tip:**
>
> You can use the combo box in the upper-left corner to switch between organizations and instances.

3. In the left navigation pane, click **Settings** > **Security**.
4. In the **Execution Log Redaction** section, you can see that the redaction feature is **Enabled** by default.
5. Click **Disable**. A warning appears, explaining the risks of disabling log redaction.
6. Confirm the disabling.

After disabling log redaction, note the following:

* The change only applies to new database connections.
* Existing connections are unaffected. You need to reconnect them for the changes to take effect.
* Logs for new sessions will no longer be redacted.

## Check the updated logs

To check the updated logs after log redaction is disabled, do the following:

1. Simulate a performance issue caused by a slow query. For example, execute the following SQL statement:

```sql
SELECT *, SLEEP(2) FROM users WHERE email LIKE "%useremail%";
```

2. Wait a few minutes for the slow query log to update.
3. Review the log to confirm that the sensitive data is not redacted.

## Enable log redaction

To maintain data security, **enable log redaction** as soon as you complete your diagnostic or maintenance task as follows.

1. Log in to the [TiDB Cloud console](https://tidbcloud.com/).
2. Navigate to the [**TiDB Instances**](https://tidbcloud.com/tidbs) page, and then click the name of your target instance to go to its overview page.

> **Tip:**
>
> You can use the combo box in the upper-left corner to switch between organizations and instances.

3. In the left navigation pane, click **Settings** > **Security**.
4. In the **Execution Log Redaction** section, you can see that the redaction feature is **Disabled**.
5. Click **Enable** to enable it.
6. Reconnect to the database for the change to take effect on new sessions.