APM agent security: .NET

The New Relic .NET agent default security settings automatically provide security for your APM data to ensure data privacy and to limit the kind of information New Relic receives. You may have business reasons to change these settings.

If you want to restrict the information that New Relic receives, you can enable high-security mode. If high-security mode or the default settings do not work for your business needs, you can apply custom settings.

For more information about New Relic's security measures, see our security and privacy documentation, or visit the New Relic security website.

Default security settings

By default, here is how the New Relic .NET agent handles the following potentially sensitive data:

Request parameters: The agent does not capture HTTP request parameters.
HTTPS: The agent communicates with New Relic using HTTPS.
SQL: The agent sets SQL recording to obfuscated, which removes the potentially sensitive numeric and string literal values.

High-security mode settings

When you enable high-security mode, the default settings are locked so that users cannot change them. In addition:

You cannot create custom events.
You cannot collect user attributes.
The agent strips exception messages.

Custom security settings

Caution

If you customize security settings, it may impact the security of your application.

If you need different security settings than default or high-security mode, you can customize these settings:

Setting	Effects on data security
`auditLog` boolean	Default: `false` Records all data sent to and received from New Relic in both an auditlog log file and the standard log file.
`highSecurity` boolean	Default: `false` To enable high-security mode, set this to `true` and enable high security in New Relic. This restricts the information you can send to New Relic.
`proxy.host` string	Default: (none) Some proxies default to using HTTP, which is a less secure protocol.
`attributes.enabled` boolean	Default: `true` By default, you are sending attributes to New Relic.
`attributes.exclude` string	Default: (none) If there are specific attribute keys that you do not want to send to New Relic in transaction traces, identify them using `attributes.exclude`. This restricts the information sent to New Relic. Consider if you want to exclude these potentially sensitive attributes using `attributes.exclude` or if you need the information sent to New Relic: `request.referer`: Removes the referer of the request. `request.uri`: Removes the path for the transaction's incoming request.
`recordSql` string	Default: `obfuscated` By default, `recordSql` is set to `obfuscated`, which strips out the numeric and string literals. If you do not want the agent to capture query information, set this to `off`. If you want the agent to capture all query information in its original form, set this to `raw`. When you enable high-security mode, this is automatically set to `obfuscated`.
`stripExceptionMessages` boolean	Default: `false` By default, this is set to `false`, which means that the agent sends messages from all exceptions to the New Relic collector. If you enable high-security mode, this is automatically changed to `true`, and the agent strips the messages from exceptions.
`customEvents.enabled` boolean	Default: `true` By default, the agent records events sent to the custom events API via `RecordCustomEvent()`. If you enable high-security mode, this is automatically set to `false`.

Setting

Effects on data security

auditLog

boolean

Default: false

Records all data sent to and received from New Relic in both an auditlog log file and the standard log file.

highSecurity

boolean

Default: false

To enable high-security mode, set this to true and enable high security in New Relic. This restricts the information you can send to New Relic.

proxy.host

string

Default: (none)

Some proxies default to using HTTP, which is a less secure protocol.

attributes.enabled

boolean

Default: true

By default, you are sending attributes to New Relic.

attributes.exclude

string

Default: (none)

If there are specific attribute keys that you do not want to send to New Relic in transaction traces, identify them using attributes.exclude. This restricts the information sent to New Relic.

Consider if you want to exclude these potentially sensitive attributes using attributes.exclude or if you need the information sent to New Relic:

request.referer: Removes the referer of the request.
request.uri: Removes the path for the transaction's incoming request.

recordSql

string

Default: obfuscated

By default, recordSql is set to obfuscated, which strips out the numeric and string literals.

If you do not want the agent to capture query information, set this to off.
If you want the agent to capture all query information in its original form, set this to raw.
When you enable high-security mode, this is automatically set to obfuscated.

stripExceptionMessages

boolean

Default: false

By default, this is set to false, which means that the agent sends messages from all exceptions to the New Relic collector. If you enable high-security mode, this is automatically changed to true, and the agent strips the messages from exceptions.

customEvents.enabled

boolean

Default: true

By default, the agent records events sent to the custom events API via RecordCustomEvent(). If you enable high-security mode, this is automatically set to false.

Default security settings .css-21sua1{background:none;border:none;width:0;padding:0;}

High-security mode settings

Custom security settings

Caution

Default security settings