cockroachdb · arjunmahishi · Feb 5, 2026
diff --git a/pkg/cli/cliflags/flags.go b/pkg/cli/cliflags/flags.go
@@ -1724,6 +1724,15 @@ necessary to support CockroachDB.
 `,
 	}
 
+	ZipRedactLocally = FlagInfo{
+		Name: "redact-locally",
+		Description: `
+Redact log files client-side instead of server-side.
+When set, logs are fetched unredacted and redacted locally before
+being written to the zip file.
+`,
+	}
+
 	ZipIncludeRangeInfo = FlagInfo{
 		Name: "include-range-info",
 		Description: `

@@ -354,6 +354,11 @@ type zipContext struct {
 	// range key data, which is necessary to support CockroachDB.
 	redact bool
 
+	// redactLocally indicates whether log redaction should happen client-side
+	// instead of server-side. This can help avoid memory issues on the server
+	// when processing large log files.
+	redactLocally bool
+
 	// Duration (in seconds) to run CPU profile for.
 	cpuProfDuration time.Duration
 
@@ -389,6 +394,7 @@ func setZipContextDefaults() {
 	zipCtx.files = fileSelection{}
 	zipCtx.redactLogs = false
 	zipCtx.redact = false
+	zipCtx.redactLocally = false
 	// Even though it makes debug.zip heavyweight, range infos are often the best source
 	// of information for range-level issues and so they are opt-out, not opt-in.
 	zipCtx.includeRangeInfo = true

@@ -699,6 +699,7 @@ func init() {
 		cliflagcfg.BoolFlag(f, &zipCtx.redactLogs, cliflags.ZipRedactLogs)
 		_ = f.MarkDeprecated(cliflags.ZipRedactLogs.Name, "use --"+cliflags.ZipRedact.Name+" instead")
 		cliflagcfg.BoolFlag(f, &zipCtx.redact, cliflags.ZipRedact)
+		cliflagcfg.BoolFlag(f, &zipCtx.redactLocally, cliflags.ZipRedactLocally)
 		cliflagcfg.DurationFlag(f, &zipCtx.cpuProfDuration, cliflags.ZipCPUProfileDuration)
 		cliflagcfg.IntFlag(f, &zipCtx.concurrency, cliflags.ZipConcurrency)
 		cliflagcfg.BoolFlag(f, &zipCtx.includeRangeInfo, cliflags.ZipIncludeRangeInfo)

@@ -85,7 +85,7 @@ func (zc *debugZipContext) collectClusterData(
 
 	queryAndDumpTables := func(reg DebugZipTableRegistry) error {
 		for _, table := range reg.GetTables() {
-			query, err := reg.QueryForTable(table, zipCtx.redact)
+			query, err := reg.QueryForTable(table, zipCtx.redact || zipCtx.redactLocally)
 			if err != nil {
 				return err
 			}

@@ -291,7 +291,7 @@ func (zc *debugZipContext) collectPerNodeData(
 	nodePrinter.info("using SQL connection URL: %s", curSQLConn.GetURL())
 
 	for _, table := range zipInternalTablesPerNode.GetTables() {
-		query, err := zipInternalTablesPerNode.QueryForTable(table, zipCtx.redact)
+		query, err := zipInternalTablesPerNode.QueryForTable(table, zipCtx.redact || zipCtx.redactLocally)
 		if err != nil {
 			return err
 		}
@@ -423,7 +423,7 @@ func (zc *debugZipContext) collectPerNodeData(
 					var err error
 					entries, err = zc.status.LogFile(
 						ctx, &serverpb.LogFileRequest{
-							NodeId: id, File: file.Name, Redact: zipCtx.redact,
+							NodeId: id, File: file.Name, Redact: zipCtx.redact && !zipCtx.redactLocally,
 						})
 					return err
 				}); requestErr != nil {
@@ -463,11 +463,15 @@ func (zc *debugZipContext) collectPerNodeData(
 					// most conservative way possible. (It's not great that
 					// possibly confidential data flew over the network, but
 					// at least it stops here.)
-					if zipCtx.redact && !e.Redactable {
+					if zipCtx.redact && !zipCtx.redactLocally && !e.Redactable {
 						e.Message = "REDACTEDBYZIP"
 						// We're also going to print a warning at the end.
 						warnRedactLeak = true
 					}
+					// Client-side redaction when --redact-locally is set.
+					if zipCtx.redactLocally {
+						log.RedactEntry(&e, log.WithoutSensitiveData)
+					}
 					if err := log.FormatLegacyEntry(e, logOut); err != nil {
 						return err
 					}

@@ -11,6 +11,7 @@ import (
 	"time"
 
 	"github.com/cockroachdb/cockroach/pkg/util/encoding/encodingtype"
+	"github.com/cockroachdb/cockroach/pkg/util/log/logpb"
 	"github.com/cockroachdb/errors"
 	"github.com/cockroachdb/redact"
 )
@@ -133,6 +134,32 @@ func maybeRedactEntry(payload entryPayload, editor redactEditor) (res entryPaylo
 	return res
 }
 
+// RedactEntry applies redaction to a logpb.Entry in-place based on the given edit mode.
+// This is useful for client-side redaction of log entries received from a server.
+func RedactEntry(e *logpb.Entry, editMode EditSensitiveData) {
+	editor := getEditor(editMode)
+
+	// Redact the message.
+	msgPkg := redactablePackage{
+		msg:        []byte(e.Message),
+		redactable: e.Redactable,
+	}
+	msgPkg = editor(msgPkg)
+	e.Message = string(msgPkg.msg)
+
+	// Redact the tags.
+	if len(e.Tags) > 0 {
+		tagsPkg := redactablePackage{
+			msg:        []byte(e.Tags),
+			redactable: e.Redactable,
+		}
+		tagsPkg = editor(tagsPkg)
+		e.Tags = string(tagsPkg.msg)
+	}
+
+	e.Redactable = msgPkg.redactable
+}
+
 func init() {
 	// We consider booleans and numeric values to be always safe for
 	// reporting. A log call can opt out by using redact.Unsafe() around