Flat NDJSON Output Format

Newline-delimited JSON optimized for streaming and log analysis

Overview

The Flat NDJSON format outputs one JSON record per line, with each line representing a single cipher suite, certificate, crypto library, or other cryptographic asset. All nested structures are flattened using dot notation.

Output Modes

  • Full Mode (default): Contains ALL fields including verbose metadata, detailed certificate chains, and extended system information.
  • Standard Mode: Contains most fields but excludes verbose/debug details, certificate chains beyond chain.0, and extended hardware metadata.
  • Minimal Mode: Contains only essential identification, security status, and top-level scores. Best for high-volume collection.

Best For

  • • ELK Stack ingestion
  • • Streaming log analysis
  • • Time-series databases
  • • Log aggregation systems

Usage

./certscanner -host example.com \
  -outputformat flatndjson \
  -output stream.ndjson

Complete Flat NDJSON Schema

Schema Overview

Each line represents a single cryptographic asset event. Different event types share common base fields but include type-specific fields. The checkmark columns indicate which output mode includes each field.

Common Event Fields (All Events)

Field Type Required Description Example Full Standard Minimal
@timestampStringYesEvent timestamp (ISO 8601)"2025-09-02T13:45:30.123Z"
event.actionStringYesEvent type identifier"cipher_suite_discovered"
event.categoryStringYesECS event category"host", "network"
event.kindStringYesECS event kind (always "event")"event"
event.typeStringYesECS event type"info", "connection"
event.datasetStringYesDataset name"port_detail"
tychon.typeStringYesTychon-specific event type"cipher"
observer.hostnameStringYesScanning system hostname"scanner-host"
observer.ipArrayNoScanner IP addresses["192.168.1.100"]
observer.idStringNoHost ID of scanning system"host-abc123"
observer.os.nameStringYesScanner OS name"Windows"
observer.os.versionStringNoScanner OS version"10.0.19045"
observer.os.familyStringNoOS family"Darwin"
observer.os.platformStringNoOS platform name"darwin"
observer.os.kernelStringNoKernel version"24.5.0"
observer.architectureStringNoCPU architecture"x86_64"
observer.cpu_coresIntegerNoNumber of physical CPU cores8
observer.cpu_logical_coresIntegerNoNumber of logical CPU cores16
observer.total_ramLongNoTotal RAM in bytes34359738368
observer.cpu_vendor_idStringNoCPU vendor identifier"GenuineIntel"
observer.cpu_model_nameStringNoCPU model name"Intel Core i7"
observer.kernel_archStringNoKernel architecture"x86_64"
observer.virtualization_systemStringNoVirtualization system"kvm"
observer.virtualization_roleStringNoVirtualization role"guest"
observer.ram_used_percentFloatNoRAM used percentage45.2
observer.system_uptime_secondsLongNoSystem uptime in seconds3456789
observer.openssl_version_usedStringNoOpenSSL version used"OpenSSL 3.0.8"
observer.openssl_path_usedStringNoPath to OpenSSL binary"/usr/bin/openssl"
observer.machine_serial_numberStringNoMachine serial number"C02XG0F3JG5H"
observer.bios_serial_numberStringNoBIOS serial number"VMware-56 4d"
observer.organizationStringNoOrganization name"Acme Corp"
observer.domainStringNoDomain name"acme.local"
observer.current_userStringNoCurrent user"admin"
observer.user_uidStringNoUser UID"1000"
observer.user_gidStringNoUser GID"1000"
observer.user_home_dirStringNoUser home directory"/home/admin"
observer.fips_mode_enabledBooleanYesFIPS 140-2 mode statustrue
observer.bigfix_client_installedBooleanNoBigFix client installedtrue
observer.bigfix_client_idStringNoBigFix client ID"12345678"
observer.software.nameStringYesTool name"TYCHON Quantum Readiness"
observer.software.versionStringYesTool version"2.0.0"
scan.typeStringYesScan mode"local"
scan.targetStringYesOriginal target specification"example.com:443"
scan.target_inputStringNoTarget input provided"192.168.1.0/24"
scan.timestampDateNoScan timestamp"2025-09-15T10:15:39Z"
scan.tagsString[]NoTags applied to scan["production"]
tagsArrayNoCustom scan tags["prod", "compliance"]

Port Scan / Cipher Negotiation Fields

For events with event.dataset="port_detail"

Target & Server Fields

Field Type Description Example Full Standard Minimal
target_host.addressStringTarget host address"192.168.1.10"
target_host.domainStringTarget host domain"server.acme.local"
target_host.ipIPTarget host IP"192.168.1.10"
target_host.ipv4IPTarget host IPv4"192.168.1.10"
target_host.ipv6IPTarget host IPv6"fe80::1"
server.addressStringServer address"192.168.1.10"
server.portIntegerServer port443
server.ipIPServer IP"192.168.1.10"
port.numberIntegerPort number443
port.status_overallStringPort status"open"
port.protocol_detectedStringDetected protocol"https"
error.messageStringError message if failed"Connection timeout"
network.protocolStringNetwork protocol"tls"
network.transportStringNetwork transport"tcp"
service.nameStringService name"https"
service.versionStringService version"nginx/1.21.0"

Quantum Readiness Flags

Field Type Description Example Full Standard Minimal
quantum_readyBooleanOverall quantum readinesstrue
quantum_ready_kxBooleanKey exchange quantum-readytrue
quantum_ready_cipherBooleanCipher quantum-readytrue
quantum_ready_certBooleanCertificate quantum-readyfalse

Cipher Negotiation Details

Field Type Description Example Full Standard Minimal
idStringUniversal document ID"cn_abc123_443_tls13"
_idStringElasticsearch document ID"cn_abc123_443_tls13"
tychon.cipher_negotiation.universal_idStringUniversal ID"cn_abc123_443_tls13"
tychon.cipher_negotiation.protocolStringTLS protocol version"TLSv1.3"
tychon.cipher_negotiation.cipher_suiteStringCipher suite name"TLS_AES_256_GCM_SHA384"
tychon.cipher_negotiation.key_length_bitsIntegerKey length in bits256
tychon.cipher_negotiation.negotiated_groupStringNegotiated group"x25519"
tychon.cipher_negotiation.ephemeral_key_length_bitsIntegerEphemeral key length253
tychon.cipher_negotiation.peer_signing_digestStringPeer signing digest"SHA256"
tychon.cipher_negotiation.alpn_protocolStringALPN protocol"h2"
tychon.cipher_negotiation.session_idStringTLS session ID"a1b2c3d4..."
tychon.cipher_negotiation.session_ticket_lifetime_hint_secondsIntegerSession ticket lifetime7200
tychon.cipher_negotiation.extended_master_secret_supportedBooleanExtended master secrettrue
tychon.cipher_negotiation.tls13_early_data_supportedBooleanTLS 1.3 early datafalse
tychon.cipher_negotiation.renegotiation_forbiddenBooleanRenegotiation forbiddentrue
tychon.cipher_negotiation.compression_methodStringCompression method"none"
tychon.cipher_negotiation.is_preferredBooleanIs preferred ciphertrue
tychon.cipher_negotiation.sourceStringSource of cipher info"anchor"
tychon.cipher_negotiation.probe_methodStringProbe method used"utls_standard"
tls.server.negotiated_groupStringNegotiated group (dashboard compat)"x25519"

Cipher Intelligence Fields

Field Type Description Example Full Standard Minimal
tychon.cipher_negotiation.intel.encryption_algorithmStringEncryption algorithm"AES-GCM"
tychon.cipher_negotiation.intel.key_exchange_algorithmStringKey exchange algorithm"ECDHE"
tychon.cipher_negotiation.intel.authentication_algorithmStringAuthentication algorithm"RSA"
tychon.cipher_negotiation.intel.mac_algorithmStringMAC algorithm"AEAD"
tychon.cipher_negotiation.intel.encryption_bitsIntegerEncryption bit strength256
tychon.cipher_negotiation.intel.key_exchange_bitsIntegerKey exchange bits256
tychon.cipher_negotiation.intel.authentication_bitsIntegerAuthentication bits2048
tychon.cipher_negotiation.intel.overall_riskStringOverall risk"low"
tychon.cipher_negotiation.intel.security_levelStringSecurity level"high"
tychon.cipher_negotiation.intel.is_quantum_readyBooleanIs quantum readyfalse
tychon.cipher_negotiation.intel.is_pqcBooleanIs post-quantumfalse
tychon.cipher_negotiation.intel.is_fips140_2_compliantBooleanFIPS 140-2 complianttrue
tychon.cipher_negotiation.intel.is_nist_approvedBooleanNIST approvedtrue
tychon.cipher_negotiation.intel.nist_security_categoryStringNIST category"recommended"
tychon.cipher_negotiation.intel.cve_listStringKnown CVEs""
tychon.cipher_negotiation.intel.vulnerabilitiesStringKnown vulnerabilities""
tychon.cipher_negotiation.intel.recommendationsStringRecommendations"Use for production"
tychon.cipher_negotiation.intel.descriptionStringCipher description"Modern AEAD cipher"
tychon.cipher_negotiation.intel.openssl_nameStringOpenSSL name"TLS_AES_256_GCM_SHA384"
tychon.cipher_negotiation.intel.iana_nameStringIANA name"TLS_AES_256_GCM_SHA384"
tychon.cipher_negotiation.intel.tls_version_minStringMinimum TLS version"TLSv1.3"

Filesystem Certificate Fields

For events with event.dataset="certificate" or event.dataset="private_key"

Certificate Subject & Issuer

Field Type Description Example Full Standard Minimal
file.pathStringFull path to certificate"/etc/ssl/certs/server.pem"
file.nameStringCertificate filename"server.pem"
file.extensionStringFile extension"pem"
file.sizeIntegerFile size in bytes4096
file.mtimeDateFile modification time"2024-01-15T12:30:00Z"
file.owner.nameStringFile owner"root"
file.group.nameStringFile group"root"
file.permissionsStringFile permissions"0600"
certificate.subjectStringSubject DN (raw)"CN=example.com,O=Acme"
certificate.subject_common_nameStringSubject CN"example.com"
certificate.subject_countryString[]Subject country["US"]
certificate.subject_organizationString[]Subject organization["Acme"]
certificate.subject_organizational_unitString[]Subject OU["IT"]
certificate.subject_localityString[]Subject locality["SF"]
certificate.subject_provinceString[]Subject province["CA"]
certificate.issuerStringIssuer DN (raw)"CN=Root CA"
certificate.issuer_common_nameStringIssuer CN"Root CA"
certificate.issuer_countryString[]Issuer country["US"]
certificate.issuer_organizationString[]Issuer organization["Acme"]
certificate.issuer_organizational_unitString[]Issuer OU["CA"]
certificate.issuer_localityString[]Issuer locality["SF"]
certificate.issuer_provinceString[]Issuer province["CA"]
certificate.not_beforeDateValid from"2024-01-01T00:00:00Z"
certificate.not_afterDateValid until"2025-01-01T00:00:00Z"
certificate.is_private_keyBooleanIs private key filefalse
x509.subject.distinguished_nameStringSubject DN"CN=example.com"
x509.issuer.distinguished_nameStringIssuer DN"CN=Root CA"
x509.public_key_sizeIntegerPublic key size2048
crypto.key_algorithmStringKey algorithm"RSA"
crypto.key_sizeIntegerKey size in bits2048
crypto.signature_algorithmStringSignature algorithm"SHA256withRSA"
hash.sha256_certificateStringSHA-256 fingerprint"a1b2c3..."

PQC Assessment

Field Type Description Example Full Standard Minimal
pqc.vulnerableBooleanVulnerable to quantum attackstrue
pqc.readinessStringPQC readiness status"not_ready"
pqc.key_strengthStringKey strength assessment"weak"
pqc.quantum_riskStringQuantum risk level"high"
pqc.recommended_actionStringRecommended action"upgrade"
pqc.migration_priorityStringMigration priority"high"
pqc.crypto_libraryStringCrypto library used"OpenSSL"
pqc.reasonStringVulnerability reason"RSA-2048 vulnerable"

Certificate Chain Fields

Pattern: certificate.chain.N.* where N = 0, 1, 2... Standard mode includes only chain.0 fields.

Field Type Description Example Full Standard Minimal
certificate.chain.0.subjectStringChain cert #0 subject DN"CN=Cert 0"
certificate.chain.0.issuerStringChain cert #0 issuer DN"CN=Issuer 0"
certificate.chain.0.serial_numberStringChain cert #0 serial"00:23:45"
certificate.chain.0.not_beforeDateChain cert #0 valid from"2024-01-01T00:00:00Z"
certificate.chain.0.not_afterDateChain cert #0 valid until"2025-01-01T00:00:00Z"
certificate.chain.0.signature_algorithmStringChain cert #0 sig algo"SHA256withRSA"
certificate.chain.0.public_key_algorithmStringChain cert #0 key algo"RSA"
certificate.chain.0.public_key_sizeIntegerChain cert #0 key size2048
certificate.chain.0.versionIntegerChain cert #0 X.509 version3
certificate.chain.0.is_caBooleanChain cert #0 is CAfalse
certificate.chain.0.subject_common_nameStringChain cert #0 subject CN"CN 0"
certificate.chain.0.issuer_common_nameStringChain cert #0 issuer CN"Issuer 0"
certificate.chain.0.sha256_fingerprintStringChain cert #0 SHA-256"sha256_0..."
certificate.chain.0.sha1_fingerprintStringChain cert #0 SHA-1"sha1_0..."
certificate.chain.0.dns_namesString[]Chain cert #0 DNS names[]
certificate.chain.1.subjectStringChain cert #1 subject DN"CN=Cert 1"
certificate.chain.1.issuerStringChain cert #1 issuer DN"CN=Issuer 1"
certificate.chain.1.serial_numberStringChain cert #1 serial"01:23:45"
certificate.chain.1.not_beforeDateChain cert #1 valid from"2024-02-01T00:00:00Z"
certificate.chain.1.not_afterDateChain cert #1 valid until"2025-02-01T00:00:00Z"
certificate.chain.1.signature_algorithmStringChain cert #1 sig algo"SHA256withRSA"
certificate.chain.1.public_key_algorithmStringChain cert #1 key algo"RSA"
certificate.chain.1.public_key_sizeIntegerChain cert #1 key size2048
certificate.chain.1.versionIntegerChain cert #1 X.509 version3
certificate.chain.1.is_caBooleanChain cert #1 is CAtrue
certificate.chain.1.subject_common_nameStringChain cert #1 subject CN"CN 1"
certificate.chain.1.issuer_common_nameStringChain cert #1 issuer CN"Issuer 1"
certificate.chain.1.sha256_fingerprintStringChain cert #1 SHA-256"sha256_1..."
certificate.chain.1.sha1_fingerprintStringChain cert #1 SHA-1"sha1_1..."
certificate.chain.1.dns_namesString[]Chain cert #1 DNS names[]
certificate.chain.2.subjectStringChain cert #2 subject DN"CN=Cert 2"
certificate.chain.2.issuerStringChain cert #2 issuer DN"CN=Issuer 2"
certificate.chain.2.serial_numberStringChain cert #2 serial"02:23:45"
certificate.chain.2.not_beforeDateChain cert #2 valid from"2024-03-01T00:00:00Z"
certificate.chain.2.not_afterDateChain cert #2 valid until"2025-03-01T00:00:00Z"
certificate.chain.2.signature_algorithmStringChain cert #2 sig algo"SHA256withRSA"
certificate.chain.2.public_key_algorithmStringChain cert #2 key algo"RSA"
certificate.chain.2.public_key_sizeIntegerChain cert #2 key size2048
certificate.chain.2.versionIntegerChain cert #2 X.509 version3
certificate.chain.2.is_caBooleanChain cert #2 is CAtrue
certificate.chain.2.subject_common_nameStringChain cert #2 subject CN"CN 2"
certificate.chain.2.issuer_common_nameStringChain cert #2 issuer CN"Issuer 2"
certificate.chain.2.sha256_fingerprintStringChain cert #2 SHA-256"sha256_2..."
certificate.chain.2.sha1_fingerprintStringChain cert #2 SHA-1"sha1_2..."
certificate.chain.2.dns_namesString[]Chain cert #2 DNS names[]

Keystore Certificate Fields

For events with event.dataset="keystore_certificate"

Keystore Metadata & Encryption

Field Type Description Example Full Standard Minimal
keystore.pathStringPath to keystore"/home/user/keystore.p12"
keystore.typeStringKeystore type"PKCS12"
keystore.accessibleBooleanIs accessibletrue
keystore.requires_authBooleanRequires authenticationtrue
keystore.cert_countIntegerNumber of certificates10
keystore.ownerStringKeystore owner"root"
keystore.permissionsStringFile permissions"600"
keystore.error_messageStringError message""
keystore.encryption.algorithmStringEncryption algorithm"PBEWithHmacSHA256"
keystore.encryption.kdfStringKey derivation function"PBKDF2"
keystore.encryption.iterationsIntegerKDF iterations10000
keystore.encryption.macStringMAC algorithm"HmacSHA256"
keystore.encryption.vulnerableBooleanIs encryption vulnerablefalse
keystore.encryption.reasonStringVulnerability reason""
keystore.encryption.iv_lengthIntegerIV length in bytes16
keystore.encryption.salt_lengthIntegerSalt length in bytes16
file.sizeLongFile size in bytes4096
file.mtimeDateLast modified"2024-12-15T10:30:00Z"

Certificate Details in Keystore

Field Type Description Example Full Standard Minimal
certificate.aliasStringCertificate alias"server-cert"
certificate.is_caBooleanIs CA certificatefalse
certificate.is_self_signedBooleanIs self-signedfalse
certificate.has_private_keyBooleanHas private keytrue
tls.certificate.subjectStringCertificate subject"CN=example.com"
tls.certificate.issuerStringCertificate issuer"CN=Root CA"
tls.certificate.not_beforeDateValid from"2024-01-01T00:00:00Z"
tls.certificate.not_afterDateValid until"2025-01-01T00:00:00Z"
tls.certificate.serial_numberStringSerial number"01:23:45"
tls.certificate.extended_key_usageString[]Extended key usage["serverAuth"]
tls.server.subjectStringSubject (compat)"CN=example.com"
tls.server.issuerStringIssuer (compat)"CN=Root CA"
tls.server.not_beforeDateValid from (compat)"2024-01-01T00:00:00Z"
tls.server.not_afterDateValid until (compat)"2025-01-01T00:00:00Z"
tls.server.serial_numberStringSerial (compat)"01:23:45"
tls.server.hash.sha1StringSHA-1 thumbprint"abc123..."
vulnerability.is_vulnerableBooleanIs vulnerabletrue
vulnerability.risk_levelStringRisk level"high"
vulnerability.risk_reasonStringRisk reason"RSA-2048"
vulnerability.cve_listString[]CVE list[]
activeBooleanIs activetrue
last_seenDateLast seen"2025-01-16T10:15:39Z"

Keystore Statistics

For events with event.dataset="keystore" (summary events)

Field Type Description Example Full Standard Minimal
keystore.stats.vulnerable_certificatesIntegerCount of vulnerable certs2
keystore.stats.pqc_vulnerable_certificatesIntegerCount of PQC vulnerable5
keystore.stats.expired_certificatesIntegerCount of expired1
keystore.stats.certificate_types.caIntegerCount of CA certs3
keystore.stats.certificate_types.end_entityIntegerCount of end-entity7
keystore.stats.key_algorithms.RSAIntegerCount of RSA keys8
keystore.stats.key_algorithms.ECDSAIntegerCount of ECDSA keys2

Crypto Library Fields

For events with event.dataset="memory_scan" or event.dataset="java_crypto"

Field Type Description Example Full Standard Minimal
vulnerability.is_vulnerableBooleanIs library vulnerabletrue
vulnerability.risk_levelStringRisk level"high"
vulnerability.risk_reasonStringRisk reason"Known CVE"
vulnerability.cve_listString[]List of CVEs["CVE-2023-1234"]
vulnerability.fixed_in_versionStringFixed in version"1.1.1t"
vulnerability.assessed_atDateAssessment timestamp"2025-01-16T10:15:39Z"
java.vendorStringJava vendor (Java only)"Oracle Corporation"
java.versionStringJava version (Java only)"11.0.16"

Note: Additional library.* fields are dynamically flattened from the CryptoLibrary structure.

VPN Client & IPSec Tunnel Fields

VPN Client Fields

For events with event.dataset="vpn"

Field Type Description Example Full Standard Minimal
file.pathStringVPN install path"C:\Program Files\VPN"
service.nameStringVPN service name"OpenVPN"
service.stateStringVPN service state"running"

Note: Additional vpn_client.* fields are dynamically flattened from the VPNClientInfo structure.

IPSec Tunnel Fields

For events with event.dataset="ipsec"

Field Type Description Example Full Standard Minimal
source.ipIPLocal endpoint IP"10.0.0.1"
destination.ipIPRemote endpoint IP"10.0.1.1"
source.networkStringLocal subnet"10.0.0.0/24"
destination.networkStringRemote subnet"10.0.1.0/24"

Note: Additional ipsec_tunnel.* fields are dynamically flattened from the IPSecTunnelInfo structure.

Quantum Readiness Assessment Fields

For events with event.dataset="quantum_assessment" (local mode only)

Note: This section contains 70+ fields. Only top-level fields are shown for brevity. Refer to the source code for complete field documentation.

Top-Level Assessment Fields

Field Type Description Example Full Standard Minimal
quantum_readiness.assessment_idStringAssessment ID"qr_20250915_abc123"
quantum_readiness.timestampStringAssessment timestamp"2025-09-15T10:15:39Z"
quantum_readiness.assessment_typeStringAssessment type"comprehensive"
quantum_readiness.overall_scoreIntegerOverall score (0-100)64
quantum_readiness.readiness_statusStringReadiness status"Update Required"
quantum_readiness.status_colorStringStatus color"orange"
quantum_readiness.ready_timelineStringTimeline to readiness"2-6 months"

Additional Quantum Readiness Sections:

  • quantum_readiness.hardware.* - 22 fields covering CPU, memory, security hardware
  • quantum_readiness.operating_system.* - 16 fields covering OS, crypto APIs, PQC support
  • quantum_readiness.crypto_libraries.* - 8+ fields covering OpenSSL, system libraries
  • quantum_readiness.network.* - 12 fields covering bandwidth, protocols, TLS
  • quantum_readiness.upgrade_pathway.* - 6 fields for first upgrade step
  • quantum_readiness.compliance.* - 4 fields for compliance status
  • quantum_readiness.system_classification.* - 4 fields