The New Relic Java agent and security

This is an overview of security considerations for the New Relic Java agent.

Overview

The New Relic Java agent monitors web transactions, collecting information about them and communicating that information to the New Relic website. The agent is packaged as a JSR 163 compliant "javaagent" and is activated by the JVM via modifications to the JVM launch. Once activated, the agent inserts itself into the class loading stream and instruments "interesting" class methods using byte code instrumentation (bci).

This technique allows the agent to insert software probes to measure the web application at key places. These places include request handlers like servlets, struts actions, and spring controllers, as well as remote system calls to databases and web services.

The agent also polls data from the JVM and from JMX. Every minute the agent posts its data to the New Relic website, where the owner of that data can sign in and use the data to see how their website is performing.

Environment

When the New Relic Java agent connects to the New Relic web service, it collects and sends information about your host environment. This information is primarily used by our support team. The agent collects:

  • The OS type and version
  • The version of Java
  • All system properties
  • The contents of the newrelic.yml file

Data types

The Java agent collects several different types of data.

Aggregate metrics

These are counters that track the number of times a "normalized" url request is made and it's average response time. For example, our software probe on a Spring controller URL might get called 1000 times a minute, in which case our aggregate metric would record 1000 as the call count and the sum of the response times for all 1000 calls. The amount of memory used for tracking an aggregate metric is fixed regardless of the number of calls. Aggregate metrics drive the time-series graphs on the New Relic website. We also create metrics for database tables.

Transaction traces

This is a complete snapshot of a single web request. They are collected only for slow requests. Only the slowest transaction trace per minute is sent to the New Relic website. Transaction traces include detailed information about the request, including (optionally) HTTP parameters and obfuscated SQL.

Error snapshots

These record uncaught exceptions that the application is propagating back to the web browser. They optionally contain the HTTP parameters of the request and also the exception that was unhandled. Part of the exception is a stack trace from the managed application.

Request parameter capture

Both transaction traces and error snapshots can optionally record HTTP parameters. Sometimes HTTP parameters contain sensitive information, such as a credit card number. The agent has a configuration option for collecting HTTP parameters but excluding certain named parameters.

Web applications can inject arbitrary data into transaction traces and error snapshots by calling an API in our agent. This can be helpful when troubleshooting slow requests or errors. For example, New Relic uses this feature for our own site to record the time window a user has set.

Thread profiler

The Thread Profiler samples Java threads and reports stack traces. This feature can be turned off in the newrelic.yml configuration file. There is no user data associated with thread profiles, just source code class and method information.

Impact to your application

The agent was designed to minimally impact your web application. All of the classes are in the newrelic package namespace so as not to collide with your own classes.

The agent uses the ASM bci engine to insert software probes, which New Relic has measured to impact the start time of the application by less than 10%. Application response times should see less than a 5% slowdown since our instrumentation is only at request handling and remote system call methods. Memory impact is also about 5%.

Security

Data is posted via http or https once a minute from the agent to the New Relic website. The message format is JSON. The website returns a JSON response to the agent letting it know if the data was correctly received or if there was an error. It is possible to use a standard HTTP proxy server between your DMZ and our site. We also have a mode in the agent where all communications are dumped to a log file (for auditing purposes).

Data for accounts are isolated so that users can only see the data for accounts they own (or have been given permission to see). New Relic has certain rights regarding our customers' data. For more information, see the Terms and Conditions on the New Relic website.

For more help

Additional documentation resources include:

If you need additional help, get support at support.newrelic.com.