Skip to main content

How-to guide

Run in an air-gapped environment

Signals is built for restricted networks. This guide walks through deploying and operating the collector with no internet access: install it offline, collect locally, move data out over your approved transfer path, and inspect it in a separate environment.

What Signals does not reach out to

Signals is built for restricted networks: no telemetry, no analytics, no phone-home, no auto-update, no Elevarq cloud — and it runs as a non-root container with a read-only root filesystem. Its only outbound connections are to the PostgreSQL targets you configure. Nothing in the default deployment dials out to the internet on its own.

One caveat: cloud authentication methods you opt into reach the cloud APIs they need. aws_rds_iam contacts the EC2 instance-metadata service (IMDS) and AWS STS to mint a token; secret_store calls AWS Secrets Manager or SSM Parameter Store (or the Azure / GCP equivalents). A fully air-gapped deployment uses the password method, whose credential is read locally and triggers no such calls. See Authentication methods for the full matrix of what each method touches.

Install offline

Copy the binary, or load the container image into the network. Nothing is fetched from a registry at runtime, so there is no need for outbound access during start-up.

# Binary: copy it to the host over your approved transfer path
cp signals /usr/local/bin/signals
chmod +x /usr/local/bin/signals

# Container: load a previously exported image archive
docker load -i signals-image.tar
docker run --rm --read-only --user 65532:65532 \
  -v /etc/signals:/etc/signals:ro \
  signals:latest --config /etc/signals/signals.yaml

Collect locally

The snapshot store and exports stay on the host; data never leaves the trust boundary on its own. Point Signals at the PostgreSQL targets inside your network and let the daemon collect on its schedule — every snapshot lands on local disk and stays there until you move it.

Move data out deliberately

When you want analysis off-host, export a ZIP and carry it over your approved transfer path. It is a plain ZIP of JSON and NDJSON — no proprietary container, no embedded credentials — so it is safe to review before it crosses a boundary. See Export snapshots for the export command and options.

Inspect offline

Unzip and read the contents directly, or hand the ZIP to Analyzer in a separate environment. Nothing about inspection requires the original host or any network access.

unzip signals-export.zip -d export/
# NDJSON: one JSON object per line, read it however you like
head -n 1 export/query_results.ndjson
wc -l export/query_results.ndjson
  • Install offline. Copy the binary or load the image; nothing is fetched at runtime.
  • Collect locally. Snapshots and exports stay on the host.
  • Move data out deliberately. A plain ZIP of JSON / NDJSON, with no embedded credentials.
  • Inspect offline. Unzip query_results.ndjson directly, or hand the ZIP to Analyzer elsewhere.
PreviousManage disk spaceNextConfiguration (signals.yaml)

Run Signals

docker pull ghcr.io/elevarq/signals

GitHubConnection reference