v.25.4Improvement

Query masking rules are now able

Published: November 25, 2025

Query masking rules are now able to throw a LOGICAL_ERROR in case if the match happened. This will help to check if pre-defined password is leaking anywhere in logs. #78094 (Nikita Mikhaylov).

Query masking rules can now trigger a LOGICAL_ERROR when a rule match occurs, enabling detection of sensitive data leaks such as pre-defined passwords in logs.

Why it matters

This feature helps users identify if sensitive information, like passwords, accidentally appears in query logs by causing a logical error when matching masking rules are triggered. It enhances security by allowing proactive detection of data leaks in logs.

How to use it

Users can configure query masking rules to throw a LOGICAL_ERROR upon a match by setting the appropriate behavior in their masking rule definitions. When a matching query is detected, ClickHouse will raise an error, alerting users to the presence of sensitive data.

Related resources

Pull Request #78094