I was surprised by how many "that's OK" answers this got. All known secrets should be either masked or tokenized, which means replacing them with either asterisks or an irreversible hash of the original value.

It's a security bug if one cannot configure the masking or tokenization process. One should be able to specify the names of sensitive variables and regular expressions for known dangerous-to-log strings.