Related pages:

Add Sensitive Data Filter for Cookies

You can use sensitive Cookie filters to configure the agent to obfuscate sensitive information from the URLs in transaction snapshot details.

  1. Edit the Apache Agent configuration file: <path_to_webserver_dir>/conf/appdynamics_agent.conf
  2. Add sensitive cookie filter element as directives: 
    • AppDynamicsMaskCookie ON
    • AppDynamicsCookieMatchPattern pattern
      • AppDynamicsMaskCookie: Specify if filtering is enabled or not. Set it ON for cookie filtering to be enabled. Default value is OFF.

      • AppDynamicsCookieMatchPattern: Specify the pattern that when matched, filters value of that cookie.         

  3. Enabling AppDynamicsMaskCookie masks values of all the cookies associated with the given request. To filter selective cookies, set the following:
    • Add AppDynamicsCookieMatchPattern and provide the full name of the cookie whose value needs to be masked as AppDynamicsCookieMatchPattern <pattern>.

For example:

AppDynamicsCookieMatchPattern PHPSESSID
CODE

A substring of a cookie name does not mask any value in the transaction snapshot. Ensure that you enter the Full name of the cookie for this directive.

    • For masking multiple cookies values simultaneously, provide names of all those cookies separated by '|' as a single string:

AppDynamicsCookieMatchPattern <pattern1|pattern2|pattern3>

For example:                     

AppDynamicsCookieMatchPattern PHPSESSID|X-CSRF-TOKEN|cookiekey
CODE

If ‘|’ is present in the cookie name itself, the agent cannot mask those cookies as ‘|’ is used as a name separator in AppDynamicsCookieMatchPattern directive.

Add Sensitive Data Filter for the SM_USER

You can use SM_USER filter to configure the agent to obfuscate sensitive information from the URLs in transaction snapshot details.

  1. Edit the Apache Agent configuration file: <path_to_webserver_dir>/conf/appdynamics_agent.conf.

  2. Add sensitive SM_USER filter element as directive:

    • AppDynamicsMaskSmUser ON
    • AppDynamicsMaskSmUser: Specify if filtering is enabled or not. Set it ON for sm_user filtering to be enabled. Default value is OFF.

Enabling this masks the values of all the SM_USER associated with the given request.

Filter Certain URL Segments or Query Parameters

By default, the Splunk AppDynamics Apache Agent sends transaction data to the Controller that your organization may classify as privileged information. Although such data is useful for diagnosis and troubleshooting, security considerations may require you to filter certain sensitive information from view in the Controller. You can use Sensitive URL filters to exclude sensitive information from a URL in snapshot details. 

Add a Sensitive URL Filter

  1. Edit the appdynamics_agent.conf configuration file in the path: <path_to_webserver_dir>/conf/appdynamics_agent.conf.
  2. In the appdynamics_agent.conf file, configure the following settings:
    • AppDynamicsDelimiter: Specify the character that you want to use as URL segment endpoints. The agent splices the URL at each delimiter instance to create the segments. For HTTP, use the forward slash character "/". For the forward slash, the agent does not split on the slashes immediately following the protocol. For example, "https://myapp.example.com/" constitutes a single segment. By default, the delimiter is "/" but this is REQUIRED for successful filtering.

For example:

AppDynamicsDelimiter /
CODE

Note that #’ cannot be used as a delimiter as the configuration file cannot process it.

    • AppDynamicsSegment: Specify a comma-separated list to indicate the segments that you want the agent to filter. Segment numbering starts from 1. If you specify 0 or negative values, the agent fails to redact the segments. This attribute is REQUIRED.

For example:

AppDynamicsSegment 2,3
CODE
  • AppDynamicsMatchfilterThe type of filter to be used to match the URL amongst the following: NOT_EMPTY|EQUALS|STARTSWITH|ENDSWITH|CONTAINS|REGEX. Default is NOT_EMPTY, but REQUIRED.

For using this correctly, query parameters should not be considered for match-filtering. With an example of the call "https://myapp.example.com/sensitive/data?first_name=abc&last_name=xyz", to specify match-filter as STARTSWITH, it matches a specified string starting with the hostname “myapp.example.com” in this case. Similarly for ENDSWITH, it will correspond to the last segment leaving out the query parameters, “data” in this case, as query parameters are never reported in the snapshots.

For example:

AppDynamicsMatchfilter CONTAINS
CODE
  • AppDynamicsMatchpatternSpecify the string that you want to be filtered with the match-filter. This attribute is REQUIRED.

For example:

AppDynamicsMatchpattern one
CODE

For example, the following configuration splits the URL on the "/" character and masks the third and fifth segments of the URL. In this case, the segmentation and obfuscation apply only to URLs containing "myapp":

AppDynamicsDelimiter /
AppDynamicsSegment 3,5
AppDynamicsMatchfilter CONTAINS
AppDynamicsMatchpattern myapp
CODE

The exit call to "https://myapp.example.com/customer/customerid/account/accountid/data?first_name=abc&last_name=xyz" breaks down to six segments: "https://myapp.example.com", "customer", "customerid", “account”, “accountid” and "data?first_name=abc&last_name=xyz". The Controller shows the masked values of the URL: “ /customer/*****/account/*****/data” in the snapshot details. "https://myapp.example.com" corresponds to segment number 1 and so on.

As the query parameters are never sent to the controller, so they are not filtered. In the transaction snapshots, the URLs are sent by default without the query parameters but now after masking the corresponding URL segments.

Filter Multiple URLs

Due to the limitations of the Apache configurations, if you want to filter multiple URLs separately, the arguments need to be written with '|' separated as described below:

AppDynamicsDelimiter /|/
AppDynamicsSegment 1,2,3|1,4
AppDynamicsMatchfilter CONTAINS|ENDSWITH
AppDynamicsMatchpattern One|.php
CODE

Each ‘|’ separated values correspond to an additional URL filter added. For ‘n’ number of separate URL filters, you need to have ‘n’ different ‘I’ configurations correspondingly. These filters behave independently on the URLs and will filter based on the configurations specified for each filter.

You must define all the configuration settings, though the configurations assume the default values. If you miss defining a particular setting in case of multiple filtering, the filtering fails.