I've been working on telemetry redaction using Microsoft Presidio, and recently contributed a sample to the Presidio repository. This post is a brief showcase of that work and related demos.
The Sample
The PR adds a telemetry redaction sample to the Presidio docs. It demonstrates client-side PII masking where applications call Presidio to detect and redact sensitive information before logging.
The setup is straightforward: a FastAPI demo app generates synthetic PII logs and shows both unredacted and redacted versions side-by-side. The sample includes a complete Docker Compose environment with Presidio services, OpenTelemetry collector, Grafana, Loki, and Tempo. The Grafana dashboard visualizes the difference between redacted and unredacted telemetry.
It is intentionally minimal and not production-ready, but serves as a starting point for folks exploring telemetry redaction.
The Demos
I also built two more demos exploring different approaches:
Manual Client-Side Masking
This repository shows manual masking in Java and Python applications. Developers explicitly call a mask function before logging or setting span attributes. It's predictable and keeps PII from ever leaving the service, but requires developer discipline.
Automated OTLP Interception
This one explores three automated approaches: an OTLP proxy, a custom Go collector with built-in masking, and a pod-local sidecar interceptor. All work, but they share similar failure modes around model correctness, coverage gaps, and latency.
I wrote about the tradeoffs in Masking PII in Logs and Traces: Manual vs Automated.
Why This Matters
Telemetry redaction is not trivial. You need to decide where to mask (in-app vs. proxy), which entities to redact, and how to handle false positives. The official Presidio sample provides a foundation, and the demos show practical implementations at different integration points.
If you're working on observability for healthcare, finance, or any regulated domain, these examples might save you some time.
Comments
No comments yet.
Stored via Netlify Functions & Blobs. Do not include sensitive info.