Built-in data filtersedit

Built-in data filters allow you to filter or turn off ingestion of the following types of data:

Data type Common sensitive data

HTTP headers

Passwords, credit card numbers, authorization, etc.

HTTP bodies

Passwords, credit card numbers, etc.

Personal data

Client IP address and user agent.

Real user monitoring data

URLs visited, click events, user browser errors, resources used, etc.

Database statements

Sensitive user or business information

HTTP headersedit

By default, APM agents capture HTTP request and response headers (including cookies). Most Elastic APM agents provide the ability to sanitize HTTP header fields, including cookies and application/x-www-form-urlencoded data (POST form fields). Query string and captured request bodies, like application/json data, are not sanitized.

The default list of sanitized fields attempts to target common field names for data relating to passwords, credit card numbers, authorization, etc., but can be customized to fit your data. This sensitive data never leaves the instrumented service.

This setting supports Central configuration, which means the list of sanitized fields can be updated without needing to redeploy your services:

Alternatively, you can completely disable the capturing of HTTP headers. This setting also supports Central configuration:

HTTP bodiesedit

By default, the body of HTTP requests is not recorded. Request bodies often contain sensitive data like passwords or credit card numbers, so use care when enabling this feature.

This setting supports Central configuration, which means the list of sanitized fields can be updated without needing to redeploy your services:

Personal dataedit

By default, the APM Server captures some personal data associated with trace events:

  • client.ip: The client’s IP address. Typically derived from the HTTP headers of incoming requests. client.ip is also used in conjunction with the geoip processor to assign geographical information to trace events. To learn more about how client.ip is derived, see Deriving an incoming request’s client.ip address.
  • user_agent: User agent data, including the client operating system, device name, vendor, and version.

The capturing of this data can be turned off by setting Capture personal data to false.

Real user monitoring dataedit

Protecting user data is important. For that reason, individual RUM instrumentations can be disabled in the RUM agent with the disableInstrumentations configuration variable. Disabled instrumentations produce no spans or transactions.

Disable Configuration value

HTTP requests

fetch and xmlhttprequest

Page load metrics including static resources


JavaScript errors on the browser


User click events including URLs visited, mouse clicks, and navigation events


Single page application route changes


Database statementsedit

For SQL databases, APM agents do not capture the parameters of prepared statements. Note that Elastic APM currently does not make an effort to strip parameters of regular statements. Not using prepared statements makes your code vulnerable to SQL injection attacks, so be sure to use prepared statements.

For non-SQL data stores, such as Elasticsearch or MongoDB, Elastic APM captures the full statement for queries. For inserts or updates, the full document is not stored. To filter or obfuscate data in non-SQL database statements, or to remove the statement entirely, you can set up an ingest node pipeline.

Agent-specific optionsedit

Certain agents offer additional filtering and obfuscating options:

Agent configuration options

  • (Node.js) Remove errors raised by the server-side process: disable with captureExceptions.
  • (Java) Remove process arguments from transactions: disabled by default with include_process_args.