New Relic's default APM agent settings provide a high level of security. However, you may need to guarantee that even if the default APM agent settings are overridden to be more permissive, no sensitive data will ever be sent to New Relic. If this is the case, then you will want to turn on APM's high security mode (also known as enterprise security mode).
For more information about our security measures, see our security and privacy documentation, or visit the New Relic security website.
Requirements
Requires Enterprise edition.
Have questions about access to this feature? Talk to your New Relic account representative.
Account level
If you choose to turn on high security, you must enable high security for all applications reporting to the account. High security must be set on each individual account. For organizations that have a parent/child account structure, child accounts don't automatically inherit the high security setting when enabled on the parent account.
Currently there are two versions of high security mode. Version 1 is deprecated and is only available if you already have it. If you are enabling high security mode for the first time, the only option is version 2 (v2).
Agent | Version 2 support |
---|---|
All versions | |
3.7 or higher | |
3.3 or higher | |
1.7.0 or higher | |
4.9 or higher | |
2.22.0.0 or higher | |
3.9.1 or higher |
Enable high security mode (version 2)
To enable high security, you must update both the local configuration on your server and the remote configuration in the UI.
Caution
Once you enable high security for an account, high security cannot be turned off without assistance from New Relic Support.
Setting location | Description |
---|---|
Set in UI |
|
Local, via agent | Enable high security mode in your agent configuration file. High security mode is disabled by default, and the exact procedure to enable it varies by agent: |
Results of enabling high security mode (version 2)
Once enabled, high security mode (v2) ensures the following for your account:
Feature | Comments |
---|---|
Requires agents to use a secure connection (HTTPS) | High security mode requires a secure (HTTPS) connection. Non-secure connection attempts will be rejected. The latest version of all New Relic agents support HTTPS. If the configuration is not set appropriately, the agent will override the property to ensure all data in transit per the latest industry standards. |
Prevents HTTP param capture | High security mode does not allow HTTP params, which may contain sensitive customer data, to be sent to the New Relic collector. If the agent is configured to send HTTP params locally or through server-side configuration, high security mode will override the configuration to never capture HTTP params. |
Prevents message queue param capture | High security mode does not allow message queue params, which may contain sensitive customer data, to be sent to the New Relic collector. If the agent is configured to send message queue params locally or through server-side configuration, then high security mode will override the configuration to never capture message queue params. |
Prevents raw query statement capture | High security mode does not allow raw database query statements, which may contain sensitive customer data, to be captured. If the agent is configured to capture raw queries locally or through server-side configuration, then high security mode will override the configuration to never capture raw queries. |
Prevents user attribute capture | High security mode does not allow attributes set using each agent's API to be captured, as these may contain sensitive customer data. For example, in the Java agent, attributes passed in through the following
|
Prevents | High security mode does not allow attributes set using each agent's For example, in the Java agent, attributes passed in through the following
|
Prevents custom events | High security mode does not allow custom events to be created using the agent API, as these may contain sensitive customer data. For example, in the .NET agent, the API call |
Prevents in-agent log event forwarding | High security mode does not allow log events to be forwarded to APM using the |
Prevents deploying Custom Instrumentation via CIE | High security mode does not allow deploying custom instrumentation when using the Custom Instrumentation Editor. If you have high security mode enabled, you must export the instrumentation and manually import it to your app server. |
Results of enabling high security mode v1 (deprecated)
High security mode version 1 is deprecated and only available if you enabled it prior to version 2 being available. High security mode version 1 ensures the following for your account:
Feature | Comments |
---|---|
Requires agents to use a secure connection (HTTPS) | High security mode requires an encrypted connection (HTTPS). Non-secure connection attempts will be rejected. The latest version of all New Relic agents support HTTPS. If the configuration is not set appropriately, the agent will override the property to ensure that all data in transit is encrypted as per the latest industry standards. |
Prevents HTTP param capture | Agents configured to capture HTTP params, which may contain sensitive customer data, are not allowed to connect to New Relic. If the local configuration is set to capture request parameters, then New Relic's collector will reject the connection, and the agent will shut down. |
Prevents raw query statement capture | Agents configured to capture raw database query statements, which may contain sensitive customer data, are not allowed to connect to New Relic. If the agent is configured to capture raw queries locally or through server-side configuration, New Relic's collector will reject the connection and the agent will shut down. |
Prevents deploying Custom Instrumentation via CIE | High security mode does not allow deploying custom instrumentation when using the Custom Instrumentation Editor. If you have high security mode enabled, you must export the instrumentation and manually import it to your app server. |
Migrate from version 1 to version 2
These are the main differences between the two versions of high security:
- In order to make high security even more secure, high security must be enabled in the New Relic user interface and in the local New Relic configuration file. High security v1 only required high security to be set in the New Relic UI.
- User attributes,
noticeError
attributes, and message queue parameters are turned off with high security in version 2, but not in version 1.
To update from v1 to v2, add high_security: true
to your local agent configuration file.