question

Julius L. avatar image
Julius L. asked ·

Auditing Dynatrace mission control communication

Is there a configuration option or an official utility to audit/dump communication to Dynatrace Mission Control?

Some customers (mostly financial/telco/healthcare) do have strict security policy about communication outside their network and all data uploaded/downloaded to 3rd parties must be audited. Since communication to Dynatrace Mission Control is encrypted, it's not directly possible to see and dump communication payload.

Dynatrace Managedmission control
2 comments
10 |2000000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 50.0 MiB each and 250.0 MiB total.

I have customer where this will be relevant as well. It was mentioned that it will be possible to intercept the uplink with a proxy and analyze the data.

Is there more concrete information on that?

0 Likes 0 · ·

Actually the endpoints for outbound communication are specified in the server configuration file. If you use a classic MITM proxy, it will probably not work because of certificate validation. You would have to add a custom certificate to truststore for Dynatrace server and maybe other components as well.

If Dynatrace server allows changing those endpoint urls (billing, opc, ...) to non https, it would be quite simple to write a "proxy" to dump communication and forward it to mission control. However not sure about the websocket communication from Dynatrace into customer environment.

Probably both methods can be used, but I'm asking for official supported solution.

0 Likes 0 · ·
Radoslaw S. avatar image
Radoslaw S. answered ·

There is no generally available tools to dump the clear text payload sent to Mission Control. We can discuss internally what's inside each request.


Please also read new topic in documentation "How does Mission Control pro-active support work?" and

https://www.dynatrace.com/support/help/get-started...

in particular:

Dynatrace Mission Control is responsible for sending

  • Usage and billing information.
  • Dynatrace Server health statistics
    Once permission is granted, our Mission Control team can remotely analyze the hardware utilization of your Dynatrace Managed installation and alert you if more resources are required.
  • Dynatrace Server event tracking Events like server starts/shutdowns, added/removed nodes, and Security Gateway registrations are tracked automatically. Our Mission Control team can remotely analyze and address problems or incompatibilities with your Dynatrace Server, so you don't need to track and react to system events. If you should ever need to contact Dynatrace Support, you won't need to collect the required log files for problem details—Mission Control gathers this data for your automatically. To see the list of Dynatrace Server system events that are automatically logged, click the Events tile on your Dynatrace Managed home page.
  • System settings Our Mission Control team can remotely optimize your Dynatrace Managed settings to ensure optimum performance and stability.
  • Software updates Dynatrace Managed software updates are mandatory and are typically published every four weeks. You can customize the timing of Dynatrace Managed updates (daily or weekly). Updates are automatically communicated to your users at least 24 hours in advance. Dynatrace Managed updates are fast and allow monitoring to continue seamlessly.
3 comments Share
10 |2000000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 50.0 MiB each and 250.0 MiB total.

I'm aware what is mission control used for.
However this answer won't be acceptable by security personnel in environments with high security requirements (agents on servers processing sensitive data, such as banking).


Not being able to audit communication will likely prohibit Dynatrace for being deployed (=purchased) in such environments.

1 Like 1 · ·

Do we have any update on this? Would like to get more details how the data can be audited and what type of flexibility is available in what information can be sent from the managed server.

0 Likes 0 · ·

There is flexibility, observe the preferences available to a cluster admin in the CMC. There is also complete audits available to cluster admins in the CMC (observe audit log in the sidebar in pic below).

As above mentioned by Radoslaw, check the Mission Control Security section.

Dynatrace have provided further insight in the Trust Center, if you are interested in this subject.

1 Like 1 · ·
cmc-preferences.png (124.1 KiB)
Sebastian K. avatar image
Sebastian K. answered ·

Some of our clients are unsecuring communication to mission control and tracking it for some time. After that they are going back to normal. I don’t know any other option.

Sebastian

Share
10 |2000000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 50.0 MiB each and 250.0 MiB total.

Wong S. avatar image
Wong S. answered ·
Any update on this ?
1 comment Share
10 |2000000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 50.0 MiB each and 250.0 MiB total.

Nothing has changed, but you can still do MITM communication auditing. It requires some work with adding a certificate to the trust store so Dynatrace Cluster can trust the MITM proxy.

Anyway, any changes from Dynatrace are being audited in the Audit log available in the CMC.

0 Likes 0 · ·

Space Topics

mobile monitoring dotnet synthetic monitoring reports iis chat kubernetes servicenow amazon web services mysql mainframe rest api errors cassandra dashboard oneagent sdk cmc application monitoring openkit smartscape request attributes monitoring developer community user tagging log monitoring services ufo syntheticadvisory activegate ip addresses auto-detection high five award oracle hyperion webserver uem usql iib test automation license web performance monitoring ios news migration management zones index ibm mq web services custom event alerts notifications sso host monitoring knowledge sharing reports browser monitors java hybris sap vmware maintenance window user action naming javascript appmon ai synthetic classic availability tipstricks automation extensions diagnostic tools session replay permissions davis assistant faq documentation problem detection http monitors server easytravel apdex aws-quickstart network docker tags and metadata cloud foundry google cloud platform synthetic monitoring process groups account usability dynatrace saas gui paas openshift key user actions administration user actions postgresql synthetic locations oneagent security Dynatrace Managed user management custom python technologies mongodb openstack user session monitoring continuous delivery citrix configuration alerting NGINX action naming linux nam installation masking error reporting database mission control jmeter recorder apache mobileapp RUM php threshold azure purepath davis scripting agent aix nodejs android