Important
We recommend updating to the latest agent version as soon as it's available. If you can't upgrade to the latest version, update your agents to a version no more than 90 days old. Read more about keeping agents up to date.
See the New Relic Ruby agent EOL policy for information about agent releases and support dates.
v9.12.0
Version 9.12.0 adds support for the newrelic_security
agent, introduces instrumentation for the LogStasher gem, improves instrumentation for the redis-clustering
gem, and updates the Elasticsearch instrumentation to only attempt to get the cluster name once per client, even if it fails.
Feature: Add support for the newrelic_security agent
New Relic Interactive Application Security Testing (IAST) can help you prevent cyberattacks and breaches on your applications by probing your running code for exploitable vulnerabilities.
The
newrelic_security
gem provides this feature for Ruby. It depends onnewrelic_rpm
. This is the first version ofnewrelic_rpm
compatible withnewrelic_security
.At this time, the security agent is intended for use only within a dedicated security testing environment with data that can tolerate modification or deletion. The security agent is available as a separate Ruby gem,
newrelic_security
. It is recommended that this separate gem only be introduced to a security testing environment by leveraging Bundler grouping like so:# Gemfilegem 'newrelic_rpm' # New Relic APM observability agentgem 'newrelic-infinite_tracing' # New Relic Infinite Tracinggroup :security dogem 'newrelic_security', require: false # New Relic security agentendIn order to run the security agent, you need to update your configuration. At a minimum,
security.agent.enabled
andsecurity.enabled
must be set totrue
. They arefalse
by default. Similar to the gem installation, we recommend you set these configurations for a special security testing environment only.Here's an example using
newrelic.yml
:common: &default_settingslicense_key: <%= ENV['NEW_RELIC_LICENSE_KEY'] %>app_name: "Example app"development:<<: *default_settingsapp_name: <%= app_name %> (Development)security:<<: *default_settingssecurity.enabled: truesecurity.agent.enabled: trueproduction:<<: *default_settingsThe following configuration relate to the
newrelic_security
gem:Configuration name Default Behavior security.agent.enabled false
If true
, the security agent is loaded (a Ruby 'require' is performed)security.enabled false
If true
, the security agent is started (the agent runs in its event loop)security.mode 'IAST'
Defines the mode for the security agent to operate in. Currently only 'IAST' is supported security.validator_service_url 'wss://csec.nr-data.net'
Defines the endpoint URL for posting security related data security.detection.rci.enabled true
If true
, enables RCI (remote code injection) detectionsecurity.detection.rxss.enabled true
If true
, enables RXSS (reflected cross-site scripting) detectionsecurity.detection.deserialization.enabled true
If true
, enables deserialization detectionsecurity.application_info.port nil
An Integer representing the port the application is listening on. This setting is mandatory for Passenger servers. Other servers should be detected by default. Feature: Add instrumentation for LogStasher
The agent will now record logs generated by LogStasher. Versions 1.0.0 and above of the LogStasher gem are supported. PR#2559
Feature: Add instrumentation for redis-clustering
Version 5.x of the
redis
gem moved cluster behavior into a different gem,redis-clustering
. This gem can access instrumentation registered throughRedisClient::Middleware
. Previously, the agent only instrumented thecall_pipelined
method through this approach, but now users of theredis-clustering
gem will also have instrumentation registered forconnect
andcall
methods. In addition, the way thedatabase_name
attribute is set for Redis datastore spans is now compatible with all versions of Redis supported by the New Relic Ruby agent. Thank you, @praveen-ks for bringing this to our attention. Issue#2444 PR#2720Bugfix: Update Elasticsearch instrumentation to only attempt to get the cluster name once per client
Previously, the agent would attempt to get the cluster name every time a call was made if it was not already captured. This could lead to a large number of failures if the cluster name could not be retrieved. Now, the agent will only attempt to get the cluster name once per client, even if it fails. Thank you, @ascoppa for bringing this to our attention. Issue#2730 PR#2743
Feature: Produce metrics for 4 additional Action Controller Rails notifications
Four additional Action Controller related Rails notifications are now subscribed to by the agent to produce telemetry. These 4 are
exist_fragment?
,expire_fragment
,read_fragment
, andwrite_fragment
. As with instrumentation for Action Controller itself, these notifications are enabled by default and can be disabled by setting:disable_action_controller
totrue
in the agent'snewrelic.yml
configuration file. PR#2745