Security options for transaction traces

Transaction tracing by its very nature captures information about specific actions taken on your site. While this information can be vital for tracking down performance issues, the process of collecting it also has security implications. To customize New Relic APM's Transaction Tracing feature for additional security, use any of the options described in this document.

Access to this feature depends on your subscription level.

Database queries and HTTP request attributes

Captured queries may contain sensitive information you do not want (or need) captured. This is why the Record SQL? value defaults to obfuscated. Obfuscation strips string literals and numeric sequences and replaces them with the ? character.

For example:

select * from table where ssn='0115551212'

Obfuscates to

select * from table where ssn=?

New Relic also captures HTTP request attributes in transaction traces to allow you to see more context for a trace.

HTTP request attributes

By default, both transaction traces and error snapshots do not record HTTP request attributes. This is because HTTP request attributes sometimes contain sensitive information. You can set HTTP request attributes and other attributes to various destinations.

Ruby: You can also use the following option in your newrelic.yml file:

    # Tells transaction tracer and error collector (when enabled) whether or not to capture HTTP params.
    # When true, the RoR filter_parameters mechanism is used so that sensitive parameters are not recorded
    capture_params: true

The Ruby agent respects the Rails filter_parameters mechanism used to hide sensitive attributes or parameters from log files. In earlier versions of Rails, the filter_parameters mechanism was called the filter_parameter_loggingmethod.

Request attributes

If you want to insert custom data into the Custom attributes section of a transaction trace, make sure that Capture attributes? is turned on: From the New Relic APM menu bar, select Applications > (selected app) > Settings > Application > Request attributes. For more information, see Collecting custom attributes.

You can also control this by using the agent API. Here is an example in Ruby:

::NewRelic::Agent.add_custom_parameters(options = {})

In Ruby, option values are a hash of key/value pairs. In other agent APIs, attributes typically are recorded individually as a name/value pair. The keys and values are serialized to New Relic and must be classes that are available to New Relic, such as String, FixedNum, Float, etc.

For more information, see your agent's API documentation.

Obfuscation (Ruby)

In the Ruby agent API, you can use custom obfuscation to strip sensitive data from query statements when the default obfuscator is insufficient. You can also use it to obfuscate fewer details. Use the following Ruby agent API:

::NewRelic::Agent.set_sql_obfuscator(type, &block)

Values for type include:

  • :before (Run your obfuscation block before running the default obfuscation block.)
  • :after (Run your obfuscation block after running the default obfuscation block.)
  • :replace (Use your obfuscation block in place of the default obfuscator.)

The obfuscation blocks take a single attribute, which is a String query, and they return a String query.

Query collection blocks (Ruby)

In the Ruby agent API, use the following to disable all query collection in a block:

::NewRelic::Agent.disable_sql_recording do

For more help

Additional documentation resources include:

Join the discussion about New Relic APM in the New Relic Online Technical Community! The Technical Community is a public platform to discuss and troubleshoot your New Relic toolset.

If you need additional help, get support at