Security options for transaction traces

Transaction tracing by its very nature captures information about specific actions taken on your site. While this information can be vital for tracking down performance issues, the process of collecting it also has security implications. To customize the Transaction Tracing feature for additional security, use any of these options described in this document.

SQL queries and HTTP request parameters

The SQL queries captured may contain sensitive information you do not want (or need) captured. This is why the Record SQL? value defaults to "obfuscated." Obfuscation strips string literals and numeric sequences and replaces them with the ? character. For example:

select * from table where ssn='0115551212'

obfuscates to

select * from table where ssn=?

New Relic also captures HTTP request parameters in transaction traces to allow you to see more context for a trace. Because HTTP request parameters may contain sensitive information, you can use the ActionController filter_parameter_logging method to prevent sensitive parameters from being captured by Transaction Traces. (This is the same mechanism Rails uses to hide sensitive parameters from log files.)

HTTP parameters

By default, both transaction traces and error snapshots do not record HTTP request parameters. This is because HTTP request parameters sometimes contain sensitive information. To enable the collection of HTTP parameters in transaction traces and error snapshots, make sure that Capture Parameters is turned on: From the New Relic menu bar, select Applications > (selected app) > Settings > Application > Request Parameters.

Note: You may also use the following option in your newrelic.yml file:

    # Tells transaction tracer and error collector (when enabled) whether or not to capture HTTP params.
    # When true, the RoR filter_parameters mechanism is used so that sensitive parameters are not recorded
    capture_params: true

Request parameters

If you want to insert custom data into the Custom Parameters section of a transaction trace, make sure that Capture Parameters is turned on: From the New Relic menu bar, select Applications > (selected app) > Settings > Application > Request Parameters.

You can control this by using the agent API. Here is an example in Ruby:

::NewRelic::Agent.add_custom_parameters(options = {})

In Ruby, option values are a hash of key/value pairs. In other agent APIs, parameters typically are recorded individually as a name/value pair. The keys and values are serialized to New Relic and must be classes that are available to New Relic, such as String, FixedNum, Float, etc.

For more information, see your agent's API documentation.

Obfuscation (Ruby)

In the Ruby agent API, you can use custom obfuscation to strip sensitive data from SQL statements when the default obfuscator is insufficient. You can also use it to obfuscate fewer details. Use the following Ruby agent API:

::NewRelic::Agent.set_sql_obfuscator(type, &block)

Values for type include:

  • :before (Run your obfuscation block before running the default obfuscation block.)
  • :after (Run your obfuscation block after running the default obfuscation block.)
  • :replace (Use your obfuscation block in place of the default obfuscator.)

The obfuscation blocks take a single parameter, which is a String SQL query, and they return a String SQL query.

SQL collection blocks (Ruby)

In the Ruby agent API, use the following to disable all SQL collection in a block:

::NewRelic::Agent.disable_sql_recording do
  ...
  end

For more help

Additional documentation resources include:

If you need additional help, get support at support.newrelic.com.