Broker Server Setup

Set up a centralized broker for monitoring multiple canaries in air-gapped networks

When deploying multiple canary appliances in an air-gapped network, managing them individually becomes challenging. A Broker Server provides centralized event collection, alerting, and monitoring - all without requiring internet connectivity.

What is a Broker Server?

A broker server is a lightweight aggregation point that sits within your air-gapped network and receives events from all your canary appliances. It provides:

  • Centralized Dashboard - View all canary events from a single web interface
  • Real-time Alerting - Get instant notifications via syslog, email, or SNMP
  • SIEM Integration - Forward events to your existing security infrastructure
  • Event Correlation - Identify patterns across multiple appliances
  • Easy Export - Package all events for transfer to Signal Canary cloud
The broker server operates entirely within your air-gapped network. It never requires internet access and all data stays within your security perimeter.

Architecture Overview

The broker architecture is designed for simplicity and reliability in isolated environments:

┌─────────────────────────────────────────────────────────────┐
│                    Air-Gapped Network                        │
│                                                              │
│  ┌──────────┐  ┌──────────┐  ┌──────────┐                   │
│  │ Canary 1 │  │ Canary 2 │  │ Canary 3 │   ...             │
│  └────┬─────┘  └────┬─────┘  └────┬─────┘                   │
│       │             │             │                          │
│       └─────────────┼─────────────┘                          │
│                     ▼                                        │
│              ┌─────────────┐                                 │
│              │   Broker    │────► Syslog / SIEM              │
│              │   Server    │────► Email Alerts               │
│              └─────────────┘────► SNMP Traps                 │
│                     │                                        │
│                     ▼                                        │
│              ┌─────────────┐                                 │
│              │  Dashboard  │ (Web UI)                        │
│              └─────────────┘                                 │
│                                                              │
└─────────────────────────────────────────────────────────────┘
                     │
            USB/Secure Transfer
                     ▼
            ┌─────────────┐
            │Signal Canary│ (Cloud - Optional)
            │  Dashboard  │
            └─────────────┘

Key Features

Real-time Event Stream

Events appear in the dashboard immediately as they occur. No delay, no polling.

Multi-Channel Alerts

Send alerts via syslog, SMTP email, SNMP traps, or custom webhooks.

Alert Rules

Define rules for different threat levels and event types. Control alert frequency with cooldowns.

SIEM Connectors

Native support for Splunk HEC, syslog (RFC 5424/3164), CEF, and LEEF formats.

Deployment Guide

Setting up a broker server takes just a few steps:

1 Download the Broker Package

From your Signal Canary dashboard, navigate to Air-Gap Canaries and download the broker package. It includes everything needed to run the server.

2 Transfer to Air-Gapped Network

Use your organization's approved secure transfer method (USB, data diode, etc.) to move the package into your isolated network.

3 Install and Configure

Deploy on any Linux server with Python 3.8+. Edit the configuration file to set your network preferences and authentication.

# Extract and setup
tar -xzf canary_broker.tar.gz
cd canary_broker

# Create configuration
cp config.example.yaml config.yaml
nano config.yaml

# Start the server
./start_broker.sh

4 Configure Canary Appliances

When building new canary appliances, enable broker integration and provide the broker's IP address and API key.

The broker runs on port 8443 by default (HTTPS) or 8080 (HTTP). For production, we recommend using HTTPS with a self-signed certificate.

Alerting Configuration

The broker supports multiple alerting channels that can be enabled simultaneously:

Syslog

Forward events to any syslog server (rsyslog, syslog-ng, Graylog, etc.):

Protocols UDP, TCP, TLS
Formats RFC 5424 (structured), RFC 3164 (BSD), CEF (ArcSight), LEEF (QRadar)
Facilities Configurable (local0-local7, auth, security)

Email (SMTP)

Send email alerts to your internal mail server. Supports authentication and TLS for secure delivery within your network.

SNMP Traps

Generate SNMP v2c or v3 traps for integration with network management systems.

SIEM Integration

The broker can forward events to your existing SIEM infrastructure:

Splunk

Use the HTTP Event Collector (HEC) to send events directly to Splunk:

siem:
  splunk_hec:
    enabled: true
    url: "https://splunk.internal:8088/services/collector"
    token: "your-hec-token"
    index: "security"
    source: "signal_canary"

QRadar

Use LEEF format over syslog for native QRadar integration:

siem:
  syslog:
    enabled: true
    host: "qradar.internal"
    port: 514
    format: "leef"

ArcSight

Use CEF format for ArcSight SmartConnector compatibility:

siem:
  syslog:
    enabled: true
    host: "arcsight.internal"
    port: 514
    format: "cef"
Events include all relevant fields for security analysis: timestamp, source IP, event type, threat level, and detailed metadata.

Best Practices

Security

  • Use HTTPS - Even in internal networks, encrypt broker traffic with TLS
  • Strong API Keys - Generate unique, random API keys for each appliance
  • Network Segmentation - Place the broker on a management network if possible
  • Regular Exports - Periodically export data for offline backup and cloud analysis

High Availability

  • SQLite Performance - The default SQLite database handles thousands of events per day easily
  • Disk Space - Plan for ~1KB per event; 10,000 events ≈ 10MB
  • Backup Strategy - The database is a single file - easy to backup

Alert Tuning

  • Start Broad - Enable alerts for all high/critical events initially
  • Add Cooldowns - Prevent alert fatigue with appropriate cooldown periods
  • Test First - Trigger test events to verify alerting works before relying on it
The broker server is intended for air-gapped networks only. It does not include the hardened security features necessary for internet-facing deployment.

Getting Help

If you need assistance setting up your broker server:

  1. Check the included README in the broker package
  2. Review the configuration examples
  3. Contact our Enterprise support team for deployment assistance

Ready to Try Signal Canary?

Create your first tracking pixel in under 5 minutes. No credit card required.

Get Started Free
In This Article
All Articles