Security options for transaction traces

Transaction tracing by its very nature captures information about specific actions taken on your site. While this information can be vital for tracking down performance issues, the process of collecting it also has security implications. To customize New Relic APM's Transaction Tracing feature for additional security, use any of these options described in this document.

SQL queries and HTTP request attributes

The SQL queries captured may contain sensitive information you do not want (or need) captured. This is why the Record SQL? value defaults to "obfuscated." Obfuscation strips string literals and numeric sequences and replaces them with the ? character. For example:

select * from table where ssn='0115551212'

Obfuscates to

select * from table where ssn=?

New Relic also captures HTTP request attributes in transaction traces to allow you to see more context for a trace.

HTTP request attributes

By default, both transaction traces and error snapshots do not record HTTP request attributes. This is because HTTP request attributes sometimes contain sensitive information.

To enable the collection of HTTP attributes in transaction traces and error snapshots, make sure that Capture attributes? is turned on: From the New Relic APM menu bar, select Applications > (selected app) > Settings > Application > Request attributes. For more information, see Collecting custom attributes.

Ruby: You can also use the following option in your newrelic.yml file:

    # Tells transaction tracer and error collector (when enabled) whether or not to capture HTTP params.
    # When true, the RoR filter_parameters mechanism is used so that sensitive parameters are not recorded
    capture_params: true

As shown here, the Ruby agent respects the Rails filter_parameters mechanism used to hide sensitive attributes or parameters from log files. In earlier versions of Rails, the filter_parameters mechanism was called the filter_parameter_loggingmethod.

Request attributes

If you want to insert custom data into the Custom attributes section of a transaction trace, make sure that Capture attributes? is turned on: From the New Relic APM menu bar, select Applications > (selected app) > Settings > Application > Request attributes. For more information, see Collecting custom attributes.

You can also control this by using the agent API. Here is an example in Ruby:

::NewRelic::Agent.add_custom_parameters(options = {})

In Ruby, option values are a hash of key/value pairs. In other agent APIs, attributes typically are recorded individually as a name/value pair. The keys and values are serialized to New Relic and must be classes that are available to New Relic, such as String, FixedNum, Float, etc.

For more information, see your agent's API documentation.

Obfuscation (Ruby)

In the Ruby agent API, you can use custom obfuscation to strip sensitive data from SQL statements when the default obfuscator is insufficient. You can also use it to obfuscate fewer details. Use the following Ruby agent API:

::NewRelic::Agent.set_sql_obfuscator(type, &block)

Values for type include:

  • :before (Run your obfuscation block before running the default obfuscation block.)
  • :after (Run your obfuscation block after running the default obfuscation block.)
  • :replace (Use your obfuscation block in place of the default obfuscator.)

The obfuscation blocks take a single attribute, which is a String SQL query, and they return a String SQL query.

SQL collection blocks (Ruby)

In the Ruby agent API, use the following to disable all SQL collection in a block:

::NewRelic::Agent.disable_sql_recording do
  ...
  end

For more help

Additional documentation resources include:

If you need additional help, get support at support.newrelic.com.