Logging Made Easy - Shane M and Adam B

well first of all thanks for thanks for coming to this talk I know it's a quite late on a Friday after lots of dominoes and the lights are down so thanks for thanks for coming so I am Shane Mallya I'm a NCC security architect and I specialized in security monitoring advice and guidance to our customers and Adam I'm another security architect for the NCSC where I don't really specialized anything about you to help Shane on this project and I've missed a lot he's done all the videos you see later not to give it away ok so how do we get here let's stop a bit of background you might have seen this before some from the National

Cyber Security Center and this is our mission statement so we try to kind of raise the watermark across the UK to try and protect people from cyber attacks and as I say I kind of focus on that security monitoring angle and it'll become a little bit relevant but you've got understand this understand why we've designed LME in the way it is because we've got some constraints we've got to work under so I bet a customer's quite often and there's often the question about why why do we log in and monitoring why do detect and this is kind of my little soapbox at the moment which is a lot of time I see in industry we have in this

framework so it's kind of nicely split up the activities into the different quadrants and the reality is that we often do to protect a lot more than the detector kind of operational security and I think that there needs to be a bit more of an equal not necessarily 50/50 split but there needs to be more effort on the kind of the tech side which is good because all the previous talks today mainly been around sort of things like threat hunting and have to run assault which is really good to see but I think this is kind of this situation we're in at the moment which is why I kind of spend a lot of my in about two

or three years now looking specifically at the kind of monitoring side of of work so we get different asks from from our customers but basically when people come to me they say I get emails I'm like probably about a monthly basis now from a different government department and it's all often just like we need a sock like where do we start we going to outsource it we need to make it slightly better than the current years and there's something on a scale between the left hand side of like we just don't have any logs or do anything at all all the way to like I really want to get to right which is like the NSA sock you

know that kind of Minority Report shiny glass room obviously nobody really gets their reality but I try and help them come somewhere along that's a proportional way to get to where they need to be for their organization so give them that kind of context how how can NTC help so I wrote this guidance called instructions and logging for security I think it's actually supposed to be security monitoring purposes is a nice little mouthful that basically looks at the outcomes you might want to achieve ice-pop your monitoring so it has a bunch of potential questions you might be asked during an incident because this is mantra of like blog everything and that's cool but really I

guess it would be nice to think if if you have an incident that somebody comes to you and says which machine made this DNS query who was logged in at that time that kind of stuff if you think about that in advance of the situation and then collect logs around that so you can accurately detect and answers questions that's what this guidance document does it's got a table in there and kind of prompts you a bunch of questions so this is one of our leaders I guess is NCRC we pull call quite often which is guidance and advice on our website prior to this as things like GPG thirteen I'll mention out for people who are taking

the bingo thing but unfortunate um he's already won it so I'm for unlucky and also as I mentioned earlier I do kind of that face to face consultancy of a lot of customers the other way we help is act what we call active cyber defense which is kind of services we provide free full point-of-use to government departments so probably the most well-known is protective DNS service which is effectively we'll sinkhole known bad the mains if you want your your service to it as a government department but will actually you know with kind of doing the full whole thing there where we offer you the service in trying to stop the attacks happening so looking made easy kind of fits in

between rules to kind of leave as you've got a guidance advice which is like think about these principles and going to it and then this like we'll just do this for you this is about helping you help yourselves so can't we got a way to help people do logging which is pretty general across the set of you know that particular etc a particular environment and that's kind of where looking at Made Easy comes in so we've aimed it at small organizations they've got no explain Oh looking at the moment they've got no budget that you know so it has to be free and open source no tools you know no cost for tools they've got like

limited effort they don't really know what to start the vendor the configurations they should be loading so so loading made easy as effectively it's a very detailed set-up guide plus a bunch of things like group policy objects scripts things that actually help you also configure parts of the steps so I've got logging made easy in a slide so this is right so as I sort of said earlier it's aimed at the windows estates we're saying for small organizations so it's kind of around about 250 Windows machines client machines and what we do is we avoid you to drop system on down on those machines and we give you things like patch files to run as a scheduled task that will

then download system on and run it and install it we then do windows event forwarding and event collection and send it to the Windows Event collector so we're for windows event forwarding is a built in feature into Windows that effectively you give it a filter and you tell it you over GPO you give it a bunch of client machines and you say send these subsets of your logs and your local event via folder to this remote window server and it's nice because you're not installing extra software there and it's all authenticated over Kerberos authentication C and there's like encryption on the network so we we don't have to worry about that it has things like there's a setting to say do

you want it to send the logs quickly or do you want to send it with more bandwidth efficient sand-like chunks so is it like minimize latency minimize bandwidth so it's all built in Windows it's great and then you start to see the logs building up an event collector at which point we kind of want to do something around analysis so we we do when we is the win log beat on that server and we put it onto an elk stack which is running on a in docker on the linux box that we help you install so there's a script that runs on that Linux box so that's a really high overview we're now now I'm gonna hand over Adam

for a couple of minutes so I didn't kind enough to make a test environment a whole bunch of videos of the installation process so I wasn't sure this is gonna pan out because it's kind of like basically Windows admin but once you make it full-time to speed and you may not notice the mistakes that have been made along the way copying the wrong files it's really interesting so right when I didn't talked over it Thank You Shane for throwing me under the bus there yeah so before we start we have to remember LME is very much a case of using Windows components that already exist within your estate and using the functionality that already is this for

you you just gluing it together so I show of hands how many people have looked to the enemy documentation keep them up if you're actually installed it okay well hopefully we're pitching to the right audience then so this is a very abridged version of chapter 1 so essentially what we're doing now is importing the alameen gpo's and create the organizational units and yeah it's going at four times the speed but this particular video for chapter one to end-to-end took me about five minutes so you can do this in a very short amount of time like I said you're just leveraging what's already built within your windows of state and at this point we're just importing the GPS for the

server and the clients and then later on we'll configure the DPS actually push down to basically say hey go push these logs to this server you're not doing anything really heavy weight in terms of maintenance it was just doing stuff tailoring it to your environment all the heavyweight stuff is already done for you and if we skip this over a bit and skip over some it mistakes yeah this is the point where you're saying hey good point to this server some reason it's like we started and the last part here on the wek server so you can't see it but this is wet doc testing that LM a this is a testing infrastructure within AWS what we would like to do in the

future is maybe present this infrastructure as a cloud formation template or a terraform so you could actually have a play themselves and add a look and actually help see how you do it is the properly yep so wet util runs yes with the compet we do the verification that's chapter one works yes event viewer and there is a subscription on the left-hand side and you can see that there's an active el-amin subscription that's all that the top two wonders for you chapter 2 is slightly different at this point we're trying to change the clients and provide the files actual system files with sis file that's essentially what we're doing so you probably already do this as part of your maintenance of

your estate anyway you're just providing sig check which make sure that you're running the latest and greatest version assist one system on itself an update script and a config for sis mom I miss point with updating your scheduled tasks so when the client comes online does a GP update it pulls the latest version of the system on update for conflicts so if you do have to make the respective changes as the LME project grows and develops further this script to automate I do this so you don't actually have to go visit eating the individual servers and manually do it yourself again you're set having to say use the programs in this location so again you have to

tailor it to your environment but as I said earlier it's very minimal to the top in terms of tailoring and then finally you apply the GPO to your organizational units for your clients so if you really want to you don't have to go Big Bang you can actually just say I want to test on these ten perceive high-value client could be your VP suite you could be your C suite you execs or you could just go for your tofu 250 clients if you perceive it to be really important you can say I share what the subset of the clients not this this is what you use and you know you filtering for and finally this works there we go

the third step this isn't there's two derivations of the third step there's one this easy one where you just run a scripting into self sign search for you or second one which you provide the search for it so it's completely up to you but essentially you onto your Linux box run a script after doing a git clone you basically say deploy install it does everything for you it's literally a case of put deep hit and say go make yourself a coffee cuz it'll be done in five minutes time lighting that there will be a little little mini pause where it says I'm going to let elasticsearch boot up do its thing they're not configure it

nice hearings delay and right at the end of this process a username and password gets passed out you can see they're being highlighted and that's you can only see that once that's done and on since we're saving that so then when you are done it also spits out for this version a zip file with your suits the even good parts the wack server which then does end-to-end processing of encryption for your logs so you don't have to worry about that and then verify the doctor is fully working by going to a web browser going to your Linux server IP address or DNF putting the admin in the passwords giving you and then you see coupons

working so doc is doing all that in the hot behind you behind the scenes and it's um in terms of lob retention it's all very much calculated based on the available space on that server and basically what the script will do will go this Lord docker it's all-out stall nginx which uses reverse proxy to do the authentication there's auto security updates works out disk size and configured curator which is retention of the logs generates a self-signed cert s-- also generate the compiled password and creates a zip file for Windows Server so that's exactly what the third video did I haven't done a fourth video because that's all that's chapter four is basically go to management import JSON

blob that's all it is right behind you back to shape thank you so hopefully those videos if you guys are showing the kind of level of support I guess we're given to the user so it's you know it's install these GPOs and they're here on the links and like install this software we get direct links to the binaries where we can you know and the scripts as well we get it to the point where it's we're trying to make it like a commodity item so that you just have the LME installed and just sits there ticking over you know check gathering logs deleting logs also updating and so on so this is a nice nice little video because it's a real

real life example of one of the NTSC reports on a PC 10 so the bottom here there's two commands that it says if you see this if you see this on your network so some command being run it could be an indicator of an attack of an attack of Fundy some kind of lateral movement or something so this machine is it's got this one installed lock so going back to the main database server and we are typing in the cert util command which was listed in that previous report and proven it works it's decoding a file into a PBS file and then you can go back to the Cabana and you can look for cert

util and you will find let's see when it expands it basically has captured that process Croatian event when you hit enter insert you till so if you were here for the earlier talk with PPO the sitting over there he did a lot of work or on system on and talks about the powers and this is this is awesome this is like you know the process creation event it's got so much information in it that's useful for threat answers so we've got the command that was run we've got the username that was run from you've got the sha-1 hash of the binary you've got whether it's running the integrity level their media means it's run as a user if it's high then it's

been right clicked and run as administrator so you've got a whole bunch of information and I'm probably going to little bit later but it just shows that in 2n between like you know some report comes out and saying find this in your network and then you can use system on and LME to gather it and centrally centrally query that on your network so a little bit of a summary so it should take about what they to store without distractions I think Adam mentioned we did in 2 hours - firewall changes because the person went to lunch one of our customers but once they came back it was just so flowing in and you can see the the disks

filling up it's designed for 250 clients this is important because the bottom got a point if I jump to it's not a replacement for a professional tool like if you've got money for an easier tool of which there are many you know keep spending that money on that talks I'm sure it's it's you know it's gonna be bender supported this is kind of a better than nothing solution where you're using it's kind of a DIY logging solution right you're taking all the free and open-source tools you can put them into a into a sort of an end-to-end solution and getting that kind of central central pane of glass but and as sort of 250 clients basically the issue

we've got there is that we've only got one server where the database resides which means that it's going to be quite easy to overload it if you've got like 10,000 clients on that it is technically possible to do some load balancing and have multiple servers doing that but we have not put the development effort in into that so we keep it to one single server it's a lot easier for patching and maintenance and bearing in mind this is supposed to be kind of hassle free commodity thing that just runs in your network we have got had one client that decided to roll it out over 5,000 machines and then and in the feedback about LME will say runs a bit slow but

that 16 gig ram server with quad-core hard quad core cpu was like it was getting a battering basically there's appointment they said it did work they were wondering why it wasn't responding to any commands at one point but yeah so the retention period is basically up to you is as big as your hard disk so that scripts goes 80% of the hard disk so it gives a bit of a 20% buffer and then it just also rotates around and in terms of that kind of sell to the customer and a sell to NCC so there's a bit of a you know why would a customer want to do this so we initially went to customers

has said this is really good as an as a kind of insurance policy so if you have an incident this is going to reduce your time to respond and work out what happened what the impact was you know with all the stuff you might get asked during an incident it also reduces forensics costs because you don't have to start doing like may not have to do forensics on discs because you've got all the process creation logs in a central location but that that cell didn't really go down massively well of a bunch of customers that in fact we had one customer who said are used to collect a load of logs but then I didn't

look so I just switched the whole thing off which was unfortunate because like when we go to customer sites we like to have logs there if there's been an incident so we've kind of pivoted it's all a bit recently to be more of an operational health tool so we kind of describe it as something for the end of the helpdesk so some of the - tools that are coming coming out now allow you to do things like search for a username and it will tell you which machines that users logged into and then you can search for a computer and then see all the blue screen events all the application crashes there's a dashboard that you

query KB numbers on so you can see software updates and whether they've been successful failed so my theory is that bank lose a B as well Windows Defender a B yeah so the theory is that if the database falls over if you've got like the help desk and they get called in saying my Wi-Fi is not working and they used this dashboard to work out why they'll get that database working again whereas if it's that kind of black box it just rotates around if there's a if there's a software a hardware problem you might find you have an incident and the things not working so I kind of want to get people stuck into it and using it

so we're trying to give them some really immediate like outcomes on the logs that they're gathering in terms of NCRC why are we interested so you know for instant response purposes as I kind of just mentioned the amount of times we go to customer sites and they have no logs and if they're not a government department you know it's kind of not really feasible to say could you install some government software on your network to gather Logs with this we can say like this is all free and open source like the guide is just you're the admin you're installing yourself so we're going to probably start trying that to some customers if they haven't gotten

the money for commercial tools and there's something about as I sort of said write a start about raising the water smart across the UK to try and get people encouraged to do this next couple of slides I'll talk a bit about some of the design considerations we had because I think it's not immediately apparent like the architecture is quite simple but actually to make it really really simple for people wasn't wasn't wasn't actually as easy as it sounds because he kind of wanted to be like low maintenance so first of all we took a bunch of cues from the community so some of these were mentioned earlier in previous talks like Steph Thornton Pete's thought but wet falls by Jessica

Payne was probably the one of the first articles that came across so this is Jessica's works at Microsoft she wrote a blog about doing windows have been forwarding and using power bi to query the looks great so let's try and automate that was basically kind of the premise of this initially there's also helped by a guy called cyber wall dog who basically it looks a lot like LME but it has a lot more tools on it's got kind of like pipelines in an ml Nai and all the rest of it so it's not really if you know what you're doing it's a really good tool but for that kind of small business you just want it

to run in the corner it's probably not for them but yet you know we've got a lot of feedback and we reached out Swift on security so swiftlet Security's published a system config file and when we launched this which was the day before yeah the day before cyber UK so I thought would be a really good idea to reach out to some of the people we've been in contact with just to say thank you so I kind of working from home that day and I sent an email to our social media lead and just like the social media leads everybody on Twitter right so turnout they've never breached that fiscal security before so I said could

you just send them a DM and say we're launching this product tomorrow we're using your config file thank you very much you might just get some press interest so hit Send 20 minutes later I get a reply back saying we couldn't we couldn't the M we just basically had to send a public tweet and now anybody can see it and by the way people are responding so sort of I obviously swore quite loudly in my bedroom but you can see the timestamp there 20 past 11:00 in the morning so basically all the tweets look like this it's when you realize you actually work for an intelligence agency and you've reached out to Security Research and anonymous security

researcher on Twitter I'm like what the hell have I done but yeah there's a lot of like cynicism about why we're reaching out so - so first tweet is at 20 past 11:00 there's a very long wait until 20 + 2 but luckily they took it you know if they put is really good and that actually they preferred the way we reached out because they get a lot of crazies kind of reaching out to them so that's yeah but if anybody saw the original tweet that was what was behind it so so what did we choose sis Mon I mean there's been so much praise and Sissel and I really don't need to probably sing his praises more but I

like this diagram so it's going up there the one on the left is windward spawning malware like C right it's a pirate parent-child process feel free to Nick your fire besides you've got like is this hash equal to this hash you know you get some kind of random you know threat report saying look out for these hashes on your network we can see that in sis mom you've got things like what's an admin up to what's the particular user up to I think that one's supposed to represent and then this one up here top right pretty powerful but process trees so you can work out what normally starts the next thing the next thing and if you start getting things

out sequence in that that could be weird in like boot up sequences so so sis Mon it's really really powerful but we only really expose a very small proportion to the users that use the dashboard because we don't confuse them and as I said earlier you know kind of focus on the helpdesk tools which are more like binary yes/no as opposed to like have a GaN attack have a not you know you you could accidentally set people peoples hair on fire and waste time the other lots of discussions we had around the hosting and infrastructure so the idea initially was for LME was like you basically have a single script you run in fact if anybody are supposed to do

this they should I think it's quite good idea a single script where you put your address keys and it goes out crates your elasticsearch service it hops out your GPO it can apply it because PowerShell you know run it with some elevated privileges somewhere you could do the whole thing in a single script and we actually developed there we had a script which was like I think about 500 lines of PowerShell and it went from nothing to you know working backwards going crate infrastructure and AWS you know crate the GPIOs apply them push this you know make the folder persist more and bang-bang-bang you could do it if you're in the right place of your Windows

network that was great but the thing is we're government's we can't go to customers and say you know to do this free tool you have to also pay for an AWS account so then it was kind of like well maybe we will do as sure as well but then that's like double the effort and then it's like all the other so in the end it's like we're not we just can't we can't go down that route unfortunately so we decided to do make it really portable with docker and then you can work out whether you want it on the Amazons Kuban eighties or but although as your or whatever turns out though that for some of the cloud

providers you can't just run like Cube on a single server which is what we wanted for the kind of small charity small businesses so we said we can't we can't we can't follow that route kind of using cuban a season still given its a cloud provider so we took the decision to say to the customer just install a vanilla a bunting box and do what Adam showed you which was like three commands and run that script which would then like kind of configure the Box up so we've ended up it kind of reminds me if anybody watches Silicon Valley you know where they make that like server box like you know it's kind of not very modern to make an appliance

that sits in Iraq but that's effective what we've unfortunately made but it works right so it's actually kind of cost-effective as well so on on what some of the big providers it's about 150 pound a month to rent a quad core 16 gig ram server with like say half a terabyte SSD that's quite a little bit cost as it keeps adding up but you probably gets over for like 1500 pounds or something you stick under a desk somewhere this doesn't need to be like massively massively resilient because the organization's were pitching it to haven't got anything today anyway so it's like kind of nice to have the next slide so updating LME so this is this is

really hard because we wanted to be super easy so we can update we can put make this in this in place to update the software so the automatic security updates happens on Linux pretty pretty easily we have this batch file that when it runs is the scheduled task is checking if system on has changed on the server and if the config files changing the service it looks at the file version on system on and it there's a hash check of the config file either of them changes it redeploys which is quite nice but what I really want is and this is maybe so the audience have a think about like considering this across multiple machines I want the ability to sort of

type in one machine update LME and it says you are out a day of you know your six-month versions out there your call figures from three months ago your window beats not sending right back the right stuff and that's that's really hard so at the moment I think we haven't quite got there and we've got some ideas that we can maybe tag events to sort of identify what a version of LME was at the time but because we're you know we're across three kind of server you know client-server Linux BOTS and two kind of different technology stacks plus L stack it's really hard to kind of do that like easy like what do I have to

update what's changed since the last time I deployed LME but we'll get there I will now hand over to Adam sonic dates so we started rolling out ellamy to willing participants / I know people who expressed an interest in this kind of involvement but didn't have any money to actually do anything so they were like I said waiting participants back in January this year and as part of that we asked them to provide some interesting anecdotes about what they learned from Al Amin and either some of the images that represent what we found so far left usb-cable one of our clients had USB assertion that that's being logged with through use this one so that was coming to Ella

me and they found one machine somewhere is constantly having us people look plugged in plugged up put in go on to the point was a couple of thousands in the cooked in an hour or so yeah so it was there's a massive amount of event so we they went to go trace it turns out the actual machine had a faulty USB port on the front where somebody was plugging in their phone to charge it and I think that either the weight of the phone or I don't really know exactly but basically the the solar traces on the piece PCB were failing so it's just a micro fracture and it was just enough to for it to go registered unregistered

registered on register which is quite an interesting event if you have somebody trying to I know if your policy says don't use USB and then we can capture it middle one is a break glass account so this was a domain admin account that was only supposed to be used in emergencies and it was found to be used to be installing a wireless drive for a keyboard I believe should not have been happening so again we're starting to see some really interesting events with anatomy and the finally the last one through week by week analysis of normal trend activities identified somebody using a program delete all a four o'clock in the morning deleting about 1,500 files we thought last week with so

raised to a.m. stretch team who spoke to them it turns out actually that person was in the States so the time isn't isn't that unusual and they were about to return the laptop that's why our instructor team so again sanitizing the device again isn't unusual it's just more of the case that we are finding these things it's worth pointing out that we're not actually looking for malware at this point so that's reason why I would not say hey we found Mario we're just not looking for malware at the point at this point so go on to frequently asked questions are there any questions right now I thought there okay where can you get the videos from where eventually you

hope to have them the non speeded up versions on youtube I was kind of hoping that maybe one of the questions might have been a frequently asked question in which I could just jump to you straight away but if not I'll just crack on there will be Q&A afterwards as well if there's enough time but so first question what what about other network devices and other critical services appreciate the windows it operates on honor on a network fabric that can also provide enriched logs to you for you to do some malware analysis or at least threat hunting we could either choose to loads of different things poorly or do one thing really well at this time so

it's not a case of no it's just a lot yet if you have a particular need for a particular vendor let us know we can then prioritize that as part of the next part of the drop of enemy similarly we get this ass all the time because people like shiny things like me people say we're not just a Windows house we're not just a one vendor again it's just not right now thing but if you really want to say Mac OS is my big thing I really want alle me for that please let us know all Linux as well they're in it's just not yet and there's some massive development work required an NCC group

who put an awful lot of development work we're trying to get them focused on the windows products as part of the roadmap and really another question a popular question and cross and get what github as well is why don't use technology X in the middle one the top is open distro if everybody heard it open distro no okay so open distro is taking elasticsearch free and then plugging in a whole bunch of security things that was missing and this came from AWS so it did some really cool things as well like alerting the reason why we haven't used it is because we already developed a le'me before it got over so socially so I think maybe

two or three weeks before we went open source on github open distro was announced so if they open sourced it six months ago alameen maybe a different products but again it's all open source so if you really want to use profiler sort of the Cabana go knock yourself out just let me make sure I'm collecting the right events no I don't think any per vendor can assert that unless they do a full packet capture and ultimately you'll be paying for that it's it's expensive to store that information and we're all like we're all security professionals here is it game wacom alright so just because we know what the threats are today doesn't necessarily mean know what the threats are tomorrow

so Alami using peer reviewed and well-respected methods like swift on security system config and methyls etc we hope we're doing the right thing but ultimately we can't say for sure one more does the NCE NCRC get a feed on my data no we're not going to be doing a stock as a service for you it's completely your data completely for your infrastructure you may choose to put the data into an AWS elastic search as a service well that's your shell in and at that point it's your decision for it to leave your Shores is stage complete within your shoulders it doesn't need internet connectivity to work either can I use let me through threat hunting I

thought I put a picture of Red Dead Redemption in there because we're all geeks here you can't it's just at the moment we're focusing on trying to providing paying a glass tick so you provide a customer experience try and drive the adoption lobby fair say so what is the future el-amin we have an active development within github so this screenshot was from I think last week it's already out date we've already accepted a merge so it was in the case of weary since the WOD unless it's I it's a case of we're doing accident we have a roadmap for the next two years another really cool thing is mark russinovich published last week this month version turns out would increase

DNS Hey and we're already looking at dashboards to include this later so top left we've got DNS query that's top 50 the NF and the bottom left is 25 apps calling DNS so in seek you start seeing some really what high value information being extracted out of this information she really cool and finally we would like to introduce more of the mitre attack framework we've heard lots this last few days it's a really valuable thing yeah and that's essentially it so as I've already alluded to you have a github we have a repo that anybody can contribute to or provide any issues or bug fixes etc take photo if you like just make sure I've got orange lantern

yard don't get me in it and please get involved ultimately adoption will make the tool better for everybody even if you create download it and only contribute a dashboard people were really value those dashboards that's enough no I mean so on github we've got like the issues tab and the will save once all the ideas to have whatever suggestions that people are actually actively kind of saying could you try this or obvious I've tried to install it and this has gone wrong and I son Convention as I don't mentioned earlier we've got somebody at NCC group who called uncle Duncan who's basically we've got them contracted out and they're checking get help every single day so they yeah they're on that so

that's that's in the my talk so hopefully is giving you overview of LME and kind of where it came from so it's a little bit more but it not massively technical but it be a background about the developments of it any questions you might think you didn't want it yeah so el-amin looks like it's designed for small little businesses small areas that don't have any security expertise never a limited IT capability yeah which are going to primarily be window shops you're going to be sporting happily Windows desktops you've chose to stick it on a Linux server it's most likely gonna be stuck under a desk forgotten about three years you know you've got a cold piece of kit

you can all your logs on the link server but that's probably not the expertise to be looked at what have you done to to ensure that doesn't become a security problem in itself yes so the Linux box I mean luckily because we run that scripts on the Linux box when you when you install it we do things like you know auto-updates is the first thing we do but we're kind of hoping that the box is secure it like stable enough that you can sit there and just also rotate the logs not run out of disk space but it was a big concern like seriously was because we we went to one customer and we said have you used Linux before and

this is a security person small is like 120 personal organization and they were like well we've I have a Linux box you know do now to enable had to now to update software and they're like oh don't worry can Google Apps gates because they have never done that before so it's a bit of a worry but the I think the challenge is I'm not sure in our position what else like I haven't come up a suitable turnit of this window space we had one of our other customers their gain windows windows all windows so they try to install blocker for Windows and then try to put Elkin to that so it's kind of a bit of a fudgy

way but then that runs on Linux anyway so yeah I mean if you've got any ideas on how else we can do it like database software that allows you to visualize this free doesn't need a license so that's kind of like we ended up going to an elastic search because it seemed like the most obvious solution and then it was kind of like how do you let them use elastic search but without making them realize they're actually using Linux like under the hood you know it's kind of we've even got things like when you're installing it it shows you how to use putty and winscp and stuff because literally screen grabs because we know that people probably have never done

that before the other thing to mention is the windows lock for Windows I think to let all the resources be available to the Linux box okay I'm the container so you may need the 16-gig on your host but that doesn't necessarily mean you'll pocket containing like she's gonna be able to make use of that so therefore the script may fail yes asacs which is quite java it's quite memory intensive we may need to relook into that when docket goes to the windows subsystem for linux or subsystem which i believe is going to be coming out soon so I completely take the point if somebody is window shop maybe six months time when that is a bit more

further down the line you don't have to rely on hyper being all the resources are available then yeah I don't see why that can be a thing it's kind of also I mentioned them that slide that Weaver ended up with like a kind of appliance because it's almost like it's like when you get like a network gear it's actually running Linux but the user doesn't kind of know so I'm hoping that hoping you'll be stable our test participant base be fine it's been running we've got one on our network it's not being rebooted for like since February something so any other questions no okay well thank you very much thank you [Applause]