We were asked recently to enable the check mark in the NCM Settings -> Advanced Settings -> Enable Session Tracing. When I was preparing the files for despatch to SolarWinds I found that the NCM config files generated for the session tracing contained the login and enable passwords in plain text. These passwords are provided via SSH sessions to our equipment not telnet so therefore are sent to the switches encrypted.
The answers that I've had so far from SolarWinds that it only happens if the option is enabled is lame to say the least. Also the primary issue is that if an engineer is asked to enable the troubleshooting nowhere is it mentioned that the passwords will be in plain text and need to be deleted. It was only by chance that I found it, not because the SW engineer warned me.
This is clearly a major security issue as these files are viewed by staff here, and your staff. Can you please advise when you will ensure that session tracing disguises all passwords in a config file?