APM agent data security

The APM agent that you installed receives data from your applications. The agent retains the data based on your pricing tier.

New Relic's default security settings automatically work to ensure data privacy and to limit the kind of information New Relic receives. You can also change these settings.

Disclosure and audit

Our APM agent is a publicly accessible plugin for web applications. The agent does not do any dynamic code generation while communicating with your app, so using the agent will not introduce any code into your application without your knowledge.

Most of our agents are open source, so you can see what our code does:

Data collection

Using a JSON message format, data the agent receives from your app is posted once a minute to the New Relic user interface. The website returns a JSON response to the agent, indicating if the data was correctly received or if there was an error.

New Relic collects the following aggregate metric data:

  • Database activity
  • External web service calls
  • Controller and dispatch activity
  • View activity
  • Uncaught exceptions and counts
  • Process memory and CPU usage

This aggregate metric data summarizes calls to specific methods in your application: how many times each one was called and various response time statistics (average, minimum, maximum, and standard deviation). In New Relic, you will see the class and method names along with their aggregate numbers.

New Relic optionally collects:

Data collection Comments
Uncaught errors New Relic captures the error as well as a runtime stack trace of the offending code.
Transaction traces

These are snapshots of a single transaction. As an option, the agent can also collect the query statements called within the transaction. The default collection uses obfuscation to hide any strings or numbers from the query.

For transactions slower than a threshold you set, New Relic also collects data from SQL EXPLAIN. For database calls slower than a configured threshold, New Relic optionally collects runtime stack traces, which are helpful to pinpoint where in the code a database call is made.

Custom parameters You can add custom parameters to your application code and record them with transaction traces to provide additional context while you are examining profiling information.

Optional: For both errors and transaction traces, the HTTP request parameters can also be recorded.

Security settings

If you want to restrict the information that New Relic receives, you can enable high security mode. If high security mode or the default settings do not work for your business needs, you can apply custom settings.

Default security settings

Depending on the agent, the default settings provide security for request parameters, HTTPS usage, and SQL:

High security mode

When the agent is in high security mode, default settings are locked so that users cannot change them.

In addition, high security mode applies restrictions to custom events, custom instrumentation, user attributes, exception messages, or message queue parameters, depending on the agent:

Custom security settings

If you want custom security settings, you can customize the configuration file, change custom attribute settings, or use the API, depending on your agent:

Data received by New Relic

This information applies to all APM agents no matter what security settings you have applied.

Other data that New Relic receives is specific to the security settings for each agent.

Data Captured?
APM agent language version [check icon]
OS type and version [check icon]
System properties [check icon]
Average response time of transactions in your app [check icon]
URL hits [check icon]
Client IP address Not captured

TLS and SSL

Our preferred protocol for all domains is TLS 1.2. APM agents enable SSL by default. To verify which release includes SSL by default and to ensure that you have the most up-to-date version, refer to your agent's release notes:

The configuration file also includes an optional flag (ssl) to enable or disable SSL using HTTPS. New Relic does not do host authentication with HTTPS, just communication encryption.

Exception: You cannot disable SSL for the C SDK. The C SDK daemon can only connect with SSL.

New Relic requires HTTPS for all traffic to APM and the REST API. This includes both inbound and outbound traffic. If your REST API call uses HTTP, or if you have disabled SSL in your configuration file, change your script or program to HTTPS.

Data transmission

Under Java, .NET and PHP, New Relic uses JSON to serialize data. The Ruby agent uses either Ruby marshaling or JSON serialization to send data to New Relic, depending on whether a native JSON encoder is available in under the Ruby version the agent is running on.

For required changes when you want to create firewall rules to allow the agent to communicate, see Networks. For more information about security measures for your data in transit to New Relic or at rest in our storage, see Data encryption.

Proxies

Optional settings are available so that you can configure the agent to communicate through a proxy. To define proxy settings for host, port, domain, user, or password, refer to your agent's configuration file documentation:

Agent Proxy settings
C SDK -proxy at daemon startup
Go transport
Java

Use proxy settings, including:

.NET proxy element
Node.js proxy
PHP newrelic.daemon.proxy or the daemon's proxy setting
Python proxy settings
Ruby

Use proxy settings, including:

For more help

If you need more help, check out these support and learning resources: