ballerina-platform · TharmiganK · Oct 8, 2025 · Sep 1, 2025 · Sep 1, 2025 · Sep 2, 2025
@@ -127,6 +127,94 @@ The log module supports contextual logging, allowing you to create loggers with
 
 For more details and advanced usage, see the module specification and API documentation.
 
+## Sensitive Data Masking
+
+The log module provides capabilities to mask sensitive data in log messages to maintain data privacy and security when dealing with personally identifiable information (PII) or other sensitive data.
+
+By default, sensitive data masking is disabled. Enable it in `Config.toml`:
+
+```toml
+[ballerina.log]
+enableSensitiveDataMasking = true
+```
+
+Or configure it per logger:
+
+```ballerina
+log:Config secureConfig = {
+    enableSensitiveDataMasking: true
+};
+log:Logger secureLogger = log:fromConfig(secureConfig);
+```
+
+### Sensitive Data Annotation
+
+Use the `@log:Sensitive` annotation to mark fields in records as sensitive. When such fields are logged, their values will be excluded or masked:
+
+```ballerina
+import ballerina/log;
+
+type User record {
+    string id;
+    @log:Sensitive
+    string password;
+    string name;
+};
+
+public function main() {
+    User user = {id: "U001", password: "mypassword", name: "John Doe"};
+    log:printInfo("user details", user = user);
+}
+```
+
+Output (with masking enabled):
+
+```log
+time=2025-08-20T09:15:30.123+05:30 level=INFO module="" message="user details" user={"id":"U001","name":"John Doe"}
+```
+
+### Masking Strategies
+
+Configure masking strategies using the `strategy` field:
+
+```ballerina
+import ballerina/log;
+
+isolated function maskString(string input) returns string {
+    if input.length() <= 2 {
+        return "****";
+    }
+    return input.substring(0, 1) + "****" + input.substring(input.length() - 1);
+}
+
+type User record {
+    string id;
+    @log:Sensitive {
+        strategy: {
+            replacement: "****"
+        }   
+    }
+    string password;
+    @log:Sensitive {
+        strategy: {
+            replacement: maskString
+        }
+    }
+    string ssn;
+    string name;
+};
+```
+
+### Masked String Function
+
+Use `log:toMaskedString()` to get the masked version of a value for custom logging implementations:
+
+```ballerina
+User user = {id: "U001", password: "mypassword", name: "John Doe"};
+string maskedUser = log:toMaskedString(user);
+io:println(maskedUser); // {"id":"U001","name":"John Doe"}
+```
+
 ## Build from the source
 
 ### Set up the prerequisites

@@ -1,7 +1,7 @@
 [package]
 org = "ballerina"
 name = "log"
-version = "2.13.0"
+version = "2.14.0"
 authors = ["Ballerina"]
 keywords = ["level", "format"]
 repository = "https://github.com/ballerina-platform/module-ballerina-log"
@@ -15,18 +15,18 @@ graalvmCompatible = true
 [[platform.java21.dependency]]
 groupId = "io.ballerina.stdlib"
 artifactId = "log-native"
-version = "2.13.0"
-path = "../native/build/libs/log-native-2.13.0.jar"
+version = "2.14.0"
+path = "../native/build/libs/log-native-2.14.0-SNAPSHOT.jar"
 
 [[platform.java21.dependency]]
 groupId = "io.ballerina.stdlib"
 artifactId = "log-compiler-plugin"
-version = "2.13.0"
-path = "../compiler-plugin/build/libs/log-compiler-plugin-2.13.0.jar"
+version = "2.14.0"
+path = "../compiler-plugin/build/libs/log-compiler-plugin-2.14.0-SNAPSHOT.jar"
 
 [[platform.java21.dependency]]
 groupId = "io.ballerina.stdlib"
 artifactId = "log-test-utils"
-version = "2.13.0"
-path = "../test-utils/build/libs/log-test-utils-2.13.0.jar"
+version = "2.14.0"
+path = "../test-utils/build/libs/log-test-utils-2.14.0-SNAPSHOT.jar"
 scope = "testOnly"
@@ -3,4 +3,4 @@ id = "log-compiler-plugin"
 class = "io.ballerina.stdlib.log.compiler.LogCompilerPlugin"
 
 [[dependency]]
-path = "../compiler-plugin/build/libs/log-compiler-plugin-2.13.0.jar"
+path = "../compiler-plugin/build/libs/log-compiler-plugin-2.14.0-SNAPSHOT.jar"
@@ -76,7 +76,7 @@ modules = [
 [[package]]
 org = "ballerina"
 name = "log"
-version = "2.13.0"
+version = "2.14.0"
 dependencies = [
 	{org = "ballerina", name = "io"},
 	{org = "ballerina", name = "jballerina.java"},

@@ -113,3 +113,92 @@ The log module supports contextual logging, allowing you to create loggers with
     ```
 
 For more details and advanced usage, see the module specification and API documentation.
+
+## Sensitive Data Masking
+
+The log module provides capabilities to mask sensitive data in log messages to maintain data privacy and security when dealing with personally identifiable information (PII) or other sensitive data.
+
+By default, sensitive data masking is disabled. Enable it in `Config.toml`:
+
+```toml
+[ballerina.log]
+enableSensitiveDataMasking = true
+```
+
+Or configure it per logger:
+
+```ballerina
+log:Config secureConfig = {
+    enableSensitiveDataMasking: true
+};
+log:Logger secureLogger = log:fromConfig(secureConfig);
+```
+
+### Sensitive Data Annotation
+
+Use the `@log:Sensitive` annotation to mark fields in records as sensitive. When such fields are logged, their values will be excluded or masked:
+
+```ballerina
+import ballerina/log;
+
+type User record {
+    string id;
+    @log:Sensitive
+    string password;
+    string name;
+};
+
+public function main() {
+    User user = {id: "U001", password: "mypassword", name: "John Doe"};
+    log:printInfo("user details", user = user);
+}
+```
+
+Output (with masking enabled):
+
+```log
+time=2025-08-20T09:15:30.123+05:30 level=INFO module="" message="user details" user={"id":"U001","name":"John Doe"}
+```
+
+### Masking Strategies
+
+Configure masking strategies using the `strategy` field:
+
+```ballerina
+import ballerina/log;
+
+isolated function maskString(string input) returns string {
+    if input.length() <= 2 {
+        return "****";
+    }
+    return input.substring(0, 1) + "****" + input.substring(input.length() - 1);
+}
+
+type User record {
+    string id;
+    @log:Sensitive {
+        strategy: {
+            replacement: "****"
+        }   
+    }
+    string password;
+    @log:Sensitive {
+        strategy: {
+            replacement: maskString
+        }
+    }
+    string ssn;
+    string name;
+};
+```
+
+### Masked String Function
+
+Use `log:toMaskedString()` to get the masked version of a value for custom logging implementations:
+
+```ballerina
+User user = {id: "U001", password: "mypassword", name: "John Doe"};
+string maskedUser = log:toMaskedString(user);
+io:println(maskedUser); // {"id":"U001","name":"John Doe"}
+```
+
@@ -166,6 +166,10 @@ public enum FileWriteOption {
 #
 # + template - The raw template to be processed
 # + return - The processed string
+# 
+# # Deprecated
+# The `processTemplate` function is deprecated. Use `evaluateTemplate` instead.
+@deprecated
 public isolated function processTemplate(PrintableRawTemplate template) returns string {
     string[] templateStrings = template.strings;
     Value[] insertions = template.insertions;
@@ -183,8 +187,30 @@ public isolated function processTemplate(PrintableRawTemplate template) returns
     return result;
 }
 
-isolated function processMessage(string|PrintableRawTemplate msg) returns string =>
-    msg !is string ? processTemplate(msg) : msg;
+# Evaluates the raw template and returns the evaluated string.
+# 
+# + template - The raw template to be evaluated
+# + enableSensitiveDataMasking - Flag to indicate if sensitive data masking is enabled
+# + return - The evaluated string
+public isolated function evaluateTemplate(PrintableRawTemplate template, boolean enableSensitiveDataMasking = false) returns string {
+    string[] templateStrings = template.strings;
+    Value[] insertions = template.insertions;
+    string result = templateStrings[0];
+
+    foreach int i in 1 ..< templateStrings.length() {
+        Value insertion = insertions[i - 1];
+        string insertionStr = insertion is PrintableRawTemplate ?
+            evaluateTemplate(insertion, enableSensitiveDataMasking) :
+                insertion is Valuer ?
+                (enableSensitiveDataMasking ? toMaskedString(insertion()) : insertion().toString()) :
+                (enableSensitiveDataMasking ? toMaskedString(insertion) : insertion.toString());
+        result += insertionStr + templateStrings[i];
+    }
+    return result;
+}
+
+isolated function processMessage(string|PrintableRawTemplate msg, boolean enableSensitiveDataMasking) returns string =>
+    msg !is string ? evaluateTemplate(msg, enableSensitiveDataMasking) : msg;
 
 # Prints debug logs.
 # ```ballerina
@@ -349,7 +375,7 @@ isolated function fileWrite(string logOutput) {
     }
 }
 
-isolated function printLogFmt(LogRecord logRecord) returns string {
+isolated function printLogFmt(LogRecord logRecord, boolean enableSensitiveDataMasking = false) returns string {
     string message = "";
     foreach [string, anydata] [k, v] in logRecord.entries() {
         string value;
@@ -367,7 +393,8 @@ isolated function printLogFmt(LogRecord logRecord) returns string {
                 value = v.toBalString();
             }
             _ => {
-                value = v is string ? string `${escape(v.toString())}` : v.toString();
+                string strValue = enableSensitiveDataMasking ? toMaskedString(v) : v.toString();
+                value = v is string ? string `${escape(strValue)}` : strValue;
             }
         }
         if message == "" {

@@ -27,13 +27,16 @@ public type Config record {|
     readonly & OutputDestination[] destinations = destinations;
     # Additional key-value pairs to include in the log messages. Default is the key-values configured in the module level
     readonly & AnydataKeyValues keyValues = {...keyValues};
+    # Enable sensitive data masking. Default is the module level configuration
+    boolean enableSensitiveDataMasking = enableSensitiveDataMasking;
 |};
 
 type ConfigInternal record {|
     LogFormat format = format;
     Level level = level;
     readonly & OutputDestination[] destinations = destinations;
     readonly & KeyValues keyValues = {...keyValues};
+    boolean enableSensitiveDataMasking = enableSensitiveDataMasking;
 |};
 
 final RootLogger rootLogger;
@@ -59,7 +62,8 @@ public isolated function fromConfig(*Config config) returns Logger|Error {
         format: config.format,
         level: config.level,
         destinations: config.destinations,
-        keyValues: newKeyValues.cloneReadOnly()
+        keyValues: newKeyValues.cloneReadOnly(),
+        enableSensitiveDataMasking: config.enableSensitiveDataMasking
     };
     return new RootLogger(newConfig);
 }
@@ -71,12 +75,14 @@ isolated class RootLogger {
     private final Level level;
     private final readonly & OutputDestination[] destinations;
     private final readonly & KeyValues keyValues;
+    private final boolean enableSensitiveDataMasking;
 
     public isolated function init(Config|ConfigInternal config = <Config>{}) {
         self.format = config.format;
         self.level = config.level;
         self.destinations = config.destinations;
         self.keyValues = config.keyValues;
+        self.enableSensitiveDataMasking = config.enableSensitiveDataMasking;
     }
 
     public isolated function printDebug(string|PrintableRawTemplate msg, error? 'error, error:StackFrame[]? stackTrace, *KeyValues keyValues) {
@@ -108,7 +114,8 @@ isolated class RootLogger {
             format: self.format,
             level: self.level,
             destinations: self.destinations,
-            keyValues: newKeyValues.cloneReadOnly()
+            keyValues: newKeyValues.cloneReadOnly(),
+            enableSensitiveDataMasking: self.enableSensitiveDataMasking
         };
         return new RootLogger(config);
     }
@@ -121,7 +128,7 @@ isolated class RootLogger {
             time: getCurrentTime(),
             level: logLevel,
             module: moduleName,
-            message: processMessage(msg)
+            message: processMessage(msg, self.enableSensitiveDataMasking)
         };
         if err is error {
             logRecord.'error = getFullErrorDetails(err);
@@ -131,7 +138,8 @@ isolated class RootLogger {
                 select element.toString();
         }
         foreach [string, Value] [k, v] in keyValues.entries() {
-            logRecord[k] = v is Valuer ? v() : v is PrintableRawTemplate ? processMessage(v) : v;
+            logRecord[k] = v is Valuer ? v() : 
+                (v is PrintableRawTemplate ? evaluateTemplate(v, self.enableSensitiveDataMasking) : v);
         }
         if observe:isTracingEnabled() {
             map<string> spanContext = observe:getSpanContext();
@@ -140,10 +148,13 @@ isolated class RootLogger {
             }
         }
         foreach [string, Value] [k, v] in self.keyValues.entries() {
-            logRecord[k] = v is Valuer ? v() : v is PrintableRawTemplate ? processMessage(v) : v;
+            logRecord[k] = v is Valuer ? v() : 
+                (v is PrintableRawTemplate ? evaluateTemplate(v, self.enableSensitiveDataMasking) : v);
         }
 
-        string logOutput = self.format == JSON_FORMAT ? logRecord.toJsonString() : printLogFmt(logRecord);
+        string logOutput = self.format == JSON_FORMAT ?
+            (self.enableSensitiveDataMasking ? toMaskedString(logRecord) : logRecord.toJsonString()) :
+            printLogFmt(logRecord, self.enableSensitiveDataMasking);
 
         lock {
             if outputFilePath is string {