Flat NDJSON Output Format

Newline-delimited JSON optimized for streaming and log analysis

Overview

The Flat NDJSON format outputs one JSON record per line, with each line representing a single cipher suite, certificate, crypto library, or other cryptographic asset. All nested structures are flattened using dot notation.

Output Modes

  • Full Mode (default): Contains ALL fields including verbose metadata, detailed certificate chains, and extended system information.
  • Standard Mode: Contains most fields but excludes verbose/debug details, certificate chains beyond chain.0, and extended hardware metadata.
  • Minimal Mode: Contains only essential identification, security status, and top-level scores. Best for high-volume collection.

Best For

  • • ELK Stack ingestion
  • • Streaming log analysis
  • • Time-series databases
  • • Log aggregation systems

Usage

./certscanner -host example.com \
  -outputformat flatndjson \
  -output stream.ndjson

Complete Flat NDJSON Schema

Schema Overview

Each line represents a single cryptographic asset event. Different event types share common base fields but include type-specific fields. The checkmark columns indicate which output mode includes each field.

Common Event Fields (All Events)

Field Type Required Description Example Full Standard Minimal
@timestampStringYesEvent timestamp (ISO 8601)"2025-09-02T13:45:30.123Z"
event.actionStringYesEvent type identifier"cipher_suite_discovered"
event.categoryStringYesECS event category"host", "network"
event.kindStringYesECS event kind (always "event")"event"
event.typeStringYesECS event type"info", "connection"
event.datasetStringYesDataset name"port_detail"
tychon.typeStringYesTychon-specific event type"cipher"
tychon.indexStringYesElasticsearch index routing slug. Full index name = tychon-pqc-{tychon.index}. Stamped on every event so consumers can route documents without their own mapping table."ciphers"
observer.hostnameStringYesScanning system hostname"scanner-host"
observer.ipArrayNoScanner IP addresses["192.168.1.100"]
observer.idStringNoHost ID of scanning system"host-abc123"
observer.os.nameStringYesScanner OS name"Windows"
observer.os.versionStringNoScanner OS version"10.0.19045"
observer.os.familyStringNoOS family"Darwin"
observer.os.platformStringNoOS platform name"darwin"
observer.os.kernelStringNoKernel version"24.5.0"
observer.os.buildStringNoOS build number (Windows only — e.g., "19045")"19045"
observer.architectureStringNoCPU architecture"x86_64"
observer.cpu_coresIntegerNoNumber of physical CPU cores8
observer.cpu_logical_coresIntegerNoNumber of logical CPU cores16
observer.total_ramLongNoTotal RAM in bytes34359738368
observer.cpu_vendor_idStringNoCPU vendor identifier"GenuineIntel"
observer.cpu_model_nameStringNoCPU model name"Intel Core i7"
observer.kernel_archStringNoKernel architecture"x86_64"
observer.virtualization_systemStringNoVirtualization system"kvm"
observer.virtualization_roleStringNoVirtualization role"guest"
observer.ram_used_percentFloatNoRAM used percentage45.2
observer.system_uptime_secondsLongNoSystem uptime in seconds3456789
observer.openssl_version_usedStringNoOpenSSL version used"OpenSSL 3.0.8"
observer.openssl_path_usedStringNoPath to OpenSSL binary"/usr/bin/openssl"
observer.machine_serial_numberStringNoMachine serial number"C02XG0F3JG5H"
observer.bios_serial_numberStringNoBIOS serial number"VMware-56 4d"
observer.organizationStringNoOrganization name"Acme Corp"
observer.domainStringNoDomain name"acme.local"
observer.current_userStringNoCurrent user"admin"
observer.user_uidStringNoUser UID"1000"
observer.user_gidStringNoUser GID"1000"
observer.user_home_dirStringNoUser home directory"/home/admin"
observer.fips_mode_enabledBooleanYesFIPS 140-2 mode statustrue
observer.bigfix_client_installedBooleanNoBigFix client installedtrue
observer.bigfix_client_idStringNoBigFix client ID"12345678"
observer.is_vdi_environmentBooleanNoTrue when scanner runs in a non-persistent VDI session (VMware Horizon, Citrix, AVD)true
observer.vdi_identity_sourceStringNoMethod used to resolve stable host identity in VDI mode: cli_override, profile_file, username_hash, or gopsutil"profile_file"
observer.output_schema_versionStringYesVersion of the flat NDJSON output schema."3.0"
observer.software.nameStringYesTool name"TYCHON Quantum Readiness"
observer.software.versionStringYesTool version"2.0.0"
scan.typeStringYesScan mode"local"
scan.targetStringYesOriginal target specification"example.com:443"
scan.target_inputStringNoTarget input provided"192.168.1.0/24"
scan.timestampDateNoScan timestamp"2025-09-15T10:15:39Z"
scan.tagsString[]NoTags applied to scan["production"]
tagsArrayNoCustom scan tags["prod", "compliance"]

Port Scan / Cipher Negotiation Fields

For events with event.dataset="port_detail". One row per (host, port) — upserted on each scan using a stable id derived from SHA-256(port_detail | hostname | host | port). When a server is upgraded from TLS 1.2 to TLS 1.3, the document is updated in-place rather than creating a new one. The preferred (highest-priority) cipher appears in tls.server.cipher; the full supported set is comma-joined in tls.server.supported_ciphers.

Target & Server Fields

Field Type Description Example Full Standard Minimal
target_host.addressStringTarget host address"192.168.1.10"
target_host.domainStringTarget host domain"server.acme.local"
target_host.ipIPTarget host IP"192.168.1.10"
target_host.ipv4IPTarget host IPv4"192.168.1.10"
target_host.ipv6IPTarget host IPv6"fe80::1"
server.addressStringServer address"192.168.1.10"
server.portIntegerServer port443
server.ipIPServer IP"192.168.1.10"
port.numberIntegerPort number443
port.status_overallStringPort status"open"
port.protocol_detectedStringDetected protocol"https"
error.messageStringError message if failed"Connection timeout"
network.protocolStringNetwork protocol"tls"
network.transportStringNetwork transport"tcp"
service.nameStringService name"https"
service.versionStringService version"nginx/1.21.0"

Quantum Readiness Flags

Field Type Description Example Full Standard Minimal
quantum_readyBooleanOverall quantum readinesstrue
quantum_ready_kxBooleanKey exchange quantum-readytrue
quantum_ready_cipherBooleanCipher quantum-readytrue
quantum_ready_certBooleanCertificate quantum-readyfalse
tychon.crypto.protocolStringNoCanonical protocol name — always TLS for cipher events"TLS"
tychon.crypto.protocol_versionStringNoTLS version number (e.g. 1.3, 1.2)"1.3"
tychon.crypto.key_exchangeStringNoNegotiated key exchange group (e.g. x25519, X25519MLKEM768)"X25519MLKEM768"
tychon.crypto.cipherStringNoBulk cipher extracted from cipher suite (e.g. AES-256-GCM)"AES-256-GCM"
tychon.crypto.macStringNoMAC / AEAD tag algorithm (e.g. SHA-384)"SHA-384"
tychon.crypto.authStringNoServer authentication / signature digest (e.g. RSA-SHA256)"RSA-SHA256"
tychon.crypto.pqc_vulnerableBooleanNoTrue when key exchange or cipher is vulnerable to a quantum computerfalse
tychon.crypto.pqc_readinessStringNoCanonical readiness: ready, transitional, vulnerable, or critical"ready"
tychon.crypto.quantum_riskStringNoCanonical risk: none, low, medium, high, or critical"none"

TLS Summary Fields

Preferred cipher is the server's top choice; full enumeration is comma-joined for easy querying without array handling.

Field Type Description Example Full Standard Minimal
idStringStable upsert ID — SHA-256(port_detail | hostname | host | port) truncated to 16 hex chars. Remote scans exclude observer ID for cross-scanner deduplication."a3f1bc920d4e8f12"
tls.server.cipherStringPreferred cipher suite name"TLS_AES_256_GCM_SHA384"
tls.server.protocol_versionStringPreferred TLS protocol version"TLSv1.3"
tls.server.negotiated_groupStringPreferred key exchange group"X25519MLKEM768"
tls.server.supported_ciphersStringComma-joined list of all supported cipher suites"TLS_AES_256_GCM_SHA384, TLS_AES_128_GCM_SHA256"
tls.server.cipher_countIntegerNumber of supported cipher suites discovered2
tls.server.supported_protocolsStringComma-joined list of all supported TLS protocol versions"TLSv1.3, TLSv1.2"
tls.server.supported_key_exchangesStringComma-joined list of all key exchange groups offered"X25519MLKEM768, x25519, secp256r1"

Cipher Intelligence Fields

Field Type Description Example Full Standard Minimal
tychon.cipher_negotiation.intel.encryption_algorithmStringEncryption algorithm"AES-GCM"
tychon.cipher_negotiation.intel.key_exchange_algorithmStringKey exchange algorithm"ECDHE"
tychon.cipher_negotiation.intel.authentication_algorithmStringAuthentication algorithm"RSA"
tychon.cipher_negotiation.intel.mac_algorithmStringMAC algorithm"AEAD"
tychon.cipher_negotiation.intel.encryption_bitsIntegerEncryption bit strength256
tychon.cipher_negotiation.intel.key_exchange_bitsIntegerKey exchange bits256
tychon.cipher_negotiation.intel.authentication_bitsIntegerAuthentication bits2048
tychon.cipher_negotiation.intel.overall_riskStringOverall risk"low"
tychon.cipher_negotiation.intel.security_levelStringSecurity level"high"
tychon.cipher_negotiation.intel.is_quantum_readyBooleanIs quantum readyfalse
tychon.cipher_negotiation.intel.is_pqcBooleanIs post-quantumfalse
tychon.cipher_negotiation.intel.is_fips140_2_compliantBooleanFIPS 140-2 complianttrue
tychon.cipher_negotiation.intel.is_nist_approvedBooleanNIST approvedtrue
tychon.cipher_negotiation.intel.nist_security_categoryStringNIST category"recommended"
tychon.cipher_negotiation.intel.cve_listStringKnown CVEs""
tychon.cipher_negotiation.intel.vulnerabilitiesStringKnown vulnerabilities""
tychon.cipher_negotiation.intel.recommendationsStringRecommendations"Use for production"
tychon.cipher_negotiation.intel.descriptionStringCipher description"Modern AEAD cipher"
tychon.cipher_negotiation.intel.openssl_nameStringOpenSSL name"TLS_AES_256_GCM_SHA384"
tychon.cipher_negotiation.intel.iana_nameStringIANA name"TLS_AES_256_GCM_SHA384"
tychon.cipher_negotiation.intel.tls_version_minStringMinimum TLS version"TLSv1.3"

Filesystem Certificate Fields

For events with event.dataset="certificate" or event.dataset="private_key"

Certificate Subject & Issuer

Field Type Description Example Full Standard Minimal
file.pathStringFull path to certificate"/etc/ssl/certs/server.pem"
file.nameStringCertificate filename"server.pem"
file.extensionStringFile extension"pem"
file.sizeIntegerFile size in bytes4096
file.mtimeDateFile modification time"2024-01-15T12:30:00Z"
file.owner.nameStringFile owner"root"
file.group.nameStringFile group"root"
file.permissionsStringFile permissions"0600"
certificate.subjectStringSubject DN (raw)"CN=example.com,O=Acme"
certificate.subject_common_nameStringSubject CN"example.com"
certificate.subject_countryString[]Subject country["US"]
certificate.subject_organizationString[]Subject organization["Acme"]
certificate.subject_organizational_unitString[]Subject OU["IT"]
certificate.subject_localityString[]Subject locality["SF"]
certificate.subject_provinceString[]Subject province["CA"]
certificate.issuerStringIssuer DN (raw)"CN=Root CA"
certificate.issuer_common_nameStringIssuer CN"Root CA"
certificate.issuer_countryString[]Issuer country["US"]
certificate.issuer_organizationString[]Issuer organization["Acme"]
certificate.issuer_organizational_unitString[]Issuer OU["CA"]
certificate.issuer_localityString[]Issuer locality["SF"]
certificate.issuer_provinceString[]Issuer province["CA"]
certificate.not_beforeDateValid from"2024-01-01T00:00:00Z"
certificate.not_afterDateValid until"2025-01-01T00:00:00Z"
certificate.is_private_keyBooleanIs private key filefalse
x509.subject.distinguished_nameStringSubject DN"CN=example.com"
x509.issuer.distinguished_nameStringIssuer DN"CN=Root CA"
x509.public_key_sizeIntegerPublic key size2048
crypto.key_algorithmStringKey algorithm"RSA"
crypto.key_sizeIntegerKey size in bits2048
crypto.signature_algorithmStringSignature algorithm"SHA256withRSA"
hash.sha256_certificateStringSHA-256 fingerprint"a1b2c3..."
tychon.crypto.protocolStringNoAlways X.509 for filesystem certificate events"X.509"
tychon.crypto.cipherStringNoPublic key algorithm (e.g. RSA-2048, ECDSA-P256)"RSA-2048"
tychon.crypto.pqc_vulnerableBooleanNoTrue when the certificate's public key algorithm is vulnerable to a quantum computertrue
tychon.crypto.pqc_readinessStringNoCanonical readiness: ready, transitional, vulnerable, or critical"vulnerable"
tychon.crypto.quantum_riskStringNoCanonical risk: none, low, medium, high, or critical"high"

PQC Assessment

Field Type Description Example Full Standard Minimal
pqc.vulnerableBooleanVulnerable to quantum attackstrue
pqc.readinessStringPQC readiness status"not_ready"
pqc.key_strengthStringKey strength assessment"weak"
pqc.quantum_riskStringQuantum risk level"high"
pqc.recommended_actionStringRecommended action"upgrade"
pqc.migration_priorityStringMigration priority"high"
pqc.crypto_libraryStringCrypto library used"OpenSSL"
pqc.reasonStringVulnerability reason"RSA-2048 vulnerable"

Certificate Chain Fields

Pattern: certificate.chain.N.* where N = 0, 1, 2... Standard mode includes only chain.0 fields.

Field Type Description Example Full Standard Minimal
certificate.chain.0.subjectStringChain cert #0 subject DN"CN=Cert 0"
certificate.chain.0.issuerStringChain cert #0 issuer DN"CN=Issuer 0"
certificate.chain.0.serial_numberStringChain cert #0 serial"00:23:45"
certificate.chain.0.not_beforeDateChain cert #0 valid from"2024-01-01T00:00:00Z"
certificate.chain.0.not_afterDateChain cert #0 valid until"2025-01-01T00:00:00Z"
certificate.chain.0.signature_algorithmStringChain cert #0 sig algo"SHA256withRSA"
certificate.chain.0.public_key_algorithmStringChain cert #0 key algo"RSA"
certificate.chain.0.public_key_sizeIntegerChain cert #0 key size2048
certificate.chain.0.versionIntegerChain cert #0 X.509 version3
certificate.chain.0.is_caBooleanChain cert #0 is CAfalse
certificate.chain.0.subject_common_nameStringChain cert #0 subject CN"CN 0"
certificate.chain.0.issuer_common_nameStringChain cert #0 issuer CN"Issuer 0"
certificate.chain.0.sha256_fingerprintStringChain cert #0 SHA-256"sha256_0..."
certificate.chain.0.sha1_fingerprintStringChain cert #0 SHA-1"sha1_0..."
certificate.chain.0.dns_namesString[]Chain cert #0 DNS names[]
certificate.chain.1.subjectStringChain cert #1 subject DN"CN=Cert 1"
certificate.chain.1.issuerStringChain cert #1 issuer DN"CN=Issuer 1"
certificate.chain.1.serial_numberStringChain cert #1 serial"01:23:45"
certificate.chain.1.not_beforeDateChain cert #1 valid from"2024-02-01T00:00:00Z"
certificate.chain.1.not_afterDateChain cert #1 valid until"2025-02-01T00:00:00Z"
certificate.chain.1.signature_algorithmStringChain cert #1 sig algo"SHA256withRSA"
certificate.chain.1.public_key_algorithmStringChain cert #1 key algo"RSA"
certificate.chain.1.public_key_sizeIntegerChain cert #1 key size2048
certificate.chain.1.versionIntegerChain cert #1 X.509 version3
certificate.chain.1.is_caBooleanChain cert #1 is CAtrue
certificate.chain.1.subject_common_nameStringChain cert #1 subject CN"CN 1"
certificate.chain.1.issuer_common_nameStringChain cert #1 issuer CN"Issuer 1"
certificate.chain.1.sha256_fingerprintStringChain cert #1 SHA-256"sha256_1..."
certificate.chain.1.sha1_fingerprintStringChain cert #1 SHA-1"sha1_1..."
certificate.chain.1.dns_namesString[]Chain cert #1 DNS names[]
certificate.chain.2.subjectStringChain cert #2 subject DN"CN=Cert 2"
certificate.chain.2.issuerStringChain cert #2 issuer DN"CN=Issuer 2"
certificate.chain.2.serial_numberStringChain cert #2 serial"02:23:45"
certificate.chain.2.not_beforeDateChain cert #2 valid from"2024-03-01T00:00:00Z"
certificate.chain.2.not_afterDateChain cert #2 valid until"2025-03-01T00:00:00Z"
certificate.chain.2.signature_algorithmStringChain cert #2 sig algo"SHA256withRSA"
certificate.chain.2.public_key_algorithmStringChain cert #2 key algo"RSA"
certificate.chain.2.public_key_sizeIntegerChain cert #2 key size2048
certificate.chain.2.versionIntegerChain cert #2 X.509 version3
certificate.chain.2.is_caBooleanChain cert #2 is CAtrue
certificate.chain.2.subject_common_nameStringChain cert #2 subject CN"CN 2"
certificate.chain.2.issuer_common_nameStringChain cert #2 issuer CN"Issuer 2"
certificate.chain.2.sha256_fingerprintStringChain cert #2 SHA-256"sha256_2..."
certificate.chain.2.sha1_fingerprintStringChain cert #2 SHA-1"sha1_2..."
certificate.chain.2.dns_namesString[]Chain cert #2 DNS names[]

Keystore Certificate Fields

For events with event.dataset="keystore_certificate"

Keystore Metadata & Encryption

Field Type Description Example Full Standard Minimal
keystore.pathStringPath to keystore"/home/user/keystore.p12"
keystore.typeStringKeystore type"PKCS12"
keystore.accessibleBooleanIs accessibletrue
keystore.requires_authBooleanRequires authenticationtrue
keystore.cert_countIntegerNumber of certificates10
keystore.ownerStringKeystore owner"root"
keystore.permissionsStringFile permissions"600"
keystore.error_messageStringError message""
keystore.encryption.algorithmStringEncryption algorithm"PBEWithHmacSHA256"
keystore.encryption.kdfStringKey derivation function"PBKDF2"
keystore.encryption.iterationsIntegerKDF iterations10000
keystore.encryption.macStringMAC algorithm"HmacSHA256"
keystore.encryption.vulnerableBooleanIs encryption vulnerablefalse
keystore.encryption.reasonStringVulnerability reason""
keystore.encryption.iv_lengthIntegerIV length in bytes16
keystore.encryption.salt_lengthIntegerSalt length in bytes16
file.sizeLongFile size in bytes4096
file.mtimeDateLast modified"2024-12-15T10:30:00Z"

Certificate Details in Keystore

Field Type Description Example Full Standard Minimal
certificate.aliasStringCertificate alias"server-cert"
certificate.is_caBooleanIs CA certificatefalse
certificate.is_self_signedBooleanIs self-signedfalse
certificate.has_private_keyBooleanHas private keytrue
tls.certificate.subjectStringCertificate subject"CN=example.com"
tls.certificate.issuerStringCertificate issuer"CN=Root CA"
tls.certificate.not_beforeDateValid from"2024-01-01T00:00:00Z"
tls.certificate.not_afterDateValid until"2025-01-01T00:00:00Z"
tls.certificate.serial_numberStringSerial number"01:23:45"
tls.certificate.extended_key_usageString[]Extended key usage["serverAuth"]
tls.server.subjectStringSubject (compat)"CN=example.com"
tls.server.issuerStringIssuer (compat)"CN=Root CA"
tls.server.not_beforeDateValid from (compat)"2024-01-01T00:00:00Z"
tls.server.not_afterDateValid until (compat)"2025-01-01T00:00:00Z"
tls.server.serial_numberStringSerial (compat)"01:23:45"
tls.server.hash.sha1StringSHA-1 thumbprint"abc123..."
vulnerability.is_vulnerableBooleanIs vulnerabletrue
vulnerability.risk_levelStringRisk level"high"
vulnerability.risk_reasonStringRisk reason"RSA-2048"
vulnerability.cve_listString[]CVE list[]
activeBooleanIs activetrue
last_seenDateLast seen"2025-01-16T10:15:39Z"
tychon.crypto.protocolStringNoAlways X.509 for keystore certificate events"X.509"
tychon.crypto.cipherStringNoKey algorithm (e.g. RSA-2048, EC)"RSA-2048"
tychon.crypto.pqc_vulnerableBooleanNoTrue when the certificate's key algorithm is vulnerable to a quantum computertrue
tychon.crypto.pqc_readinessStringNovulnerable or transitional based on pqc_vulnerable flag"vulnerable"
tychon.crypto.quantum_riskStringNohigh or low based on pqc_vulnerable flag"high"

Keystore Statistics

For events with event.dataset="keystore" (summary events)

Field Type Description Example Full Standard Minimal
keystore.stats.vulnerable_certificatesIntegerCount of vulnerable certs2
keystore.stats.pqc_vulnerable_certificatesIntegerCount of PQC vulnerable5
keystore.stats.expired_certificatesIntegerCount of expired1
keystore.stats.certificate_types.caIntegerCount of CA certs3
keystore.stats.certificate_types.end_entityIntegerCount of end-entity7
keystore.stats.key_algorithms.RSAIntegerCount of RSA keys8
keystore.stats.key_algorithms.ECDSAIntegerCount of ECDSA keys2

Crypto Library Fields

For events with event.dataset="memory_scan" or event.dataset="java_crypto"

Field Type Description Example Full Standard Minimal
idStringUniversal document ID"mem_abc123_libssl"
event.kindStringECS event kind"event"
vulnerability.is_vulnerableBooleanIs library vulnerabletrue
vulnerability.risk_levelStringRisk level"high"
vulnerability.risk_reasonStringRisk reason"Known CVE"
vulnerability.cve_listString[]List of CVEs["CVE-2023-1234"]
vulnerability.fixed_in_versionStringFixed in version"1.1.1t"
vulnerability.assessed_atDateAssessment timestamp"2025-01-16T10:15:39Z"
tychon.library.uses_opensslBooleanProcess links against OpenSSLtrue
tychon.library.openssl_versionStringOpenSSL version in use by this process"OpenSSL 3.0.8"
tychon.library.openssl_pqc_statusStringPQC readiness of the OpenSSL version"not_supported"
tychon.library.uses_libresslBooleanProcess links against LibreSSLfalse
tychon.library.libressl_versionStringLibreSSL version in use (if applicable)"LibreSSL 3.7.2"
tychon.library.libressl_pqc_statusStringPQC readiness of the LibreSSL version"not_supported"
tychon.library.uses_apple_securityBooleanProcess uses Apple Security framework (macOS only)true
tychon.library.apple_security_pqc_statusStringPQC readiness of the Apple Security framework version"partial"
java.vendorStringJava vendor (Java only)"Oracle Corporation"
java.versionStringJava version (Java only)"11.0.16"
tychon.crypto.protocolStringNoAlways library for crypto library events"library"
tychon.crypto.cipherStringNoLibrary name (e.g. OpenSSL, LibreSSL)"OpenSSL"
tychon.crypto.pqc_vulnerableBooleanNoTrue when the library is not quantum-readytrue
tychon.crypto.pqc_readinessStringNoCanonical readiness: ready, transitional, vulnerable, or critical"vulnerable"
tychon.crypto.quantum_riskStringNoCanonical risk: none, low, medium, high, or critical"high"

Note: Additional library.* fields are dynamically flattened from the CryptoLibrary structure.

VPN Client & IPSec Tunnel Fields

VPN Client Fields

For events with event.dataset="vpn"

Field Type Description Example Full Standard Minimal
idStringUniversal document ID"vpn_abc123_openvpn"
event.kindStringECS event kind"event"
file.pathStringVPN install path"C:\Program Files\VPN"
service.nameStringVPN service name"OpenVPN"
service.stateStringVPN service state"running"
vpn_client.nameStringVPN client product name"OpenVPN"
vpn_client.versionStringInstalled client version"2.6.1"
vpn_client.statusStringCurrent client status"connected"
vpn_client.vendorStringVendor / publisher name"OpenVPN Inc."
vpn_client.install_pathStringInstallation directory"C:\Program Files\OpenVPN"
vpn_connection.server_addressStringVPN server address"vpn.example.com"
vpn_connection.server_portIntegerVPN server port1194
vpn_connection.protocolStringVPN tunnel protocol"UDP"
vpn_connection.encryption_algorithmStringNegotiated encryption algorithm"AES-256-GCM"
vpn_connection.key_exchange_algorithmStringKey exchange algorithm"ECDH"
vpn_connection.dh_groupStringDiffie-Hellman group used"Group-20"
security.scoreIntegerOverall security score (0-100)72
security.pqc_supportBooleanSupports post-quantum cryptofalse
security.weak_cryptoBooleanUses weak/deprecated cryptofalse
vpn_config.authentication_methodStringAuth method (password, certificate, MFA)"certificate"
vpn_config.dns_leak_protectionBooleanDNS leak protection enabledtrue
vpn_config.kill_switchBooleanKill switch enabledtrue
vpn_config.split_tunnelingBooleanSplit tunneling enabledfalse
pqc.is_pqc_readyBooleanWhether client is PQC-readyfalse
pqc.supported_algorithmsString[]List of PQC algorithms supported[]
pqc.quantum_resistanceStringQuantum resistance level: none, partial, full"none"
pqc.pqc_migration_statusStringMigration status: not_started, in_progress, complete"not_started"
tychon.crypto.protocolStringNoVPN protocol (e.g. WireGuard, OpenVPN) from the connection's Protocol field"OpenVPN"
tychon.crypto.key_exchangeStringNoKey exchange algorithm from connection"ECDH"
tychon.crypto.cipherStringNoEncryption algorithm from connection (e.g. AES-256-GCM)"AES-256-GCM"
tychon.crypto.macStringNoAuthentication algorithm from connection (e.g. HMAC-SHA2-256)"HMAC-SHA2-256"
tychon.crypto.authStringNoAuthentication method (e.g. PSK, Certificate)"Certificate"
tychon.crypto.pqc_vulnerableBooleanNoTrue when key exchange or cipher is vulnerable to a quantum computertrue
tychon.crypto.pqc_readinessStringNoCanonical readiness: ready, transitional, vulnerable, or critical"vulnerable"
tychon.crypto.quantum_riskStringNoCanonical risk: none, low, medium, high, or critical"high"

IPSec Tunnel Fields

For events with event.dataset="ipsec"

Field Type Description Example Full Standard Minimal
source.ipIPLocal endpoint IP"10.0.0.1"
destination.ipIPRemote endpoint IP"10.0.1.1"
source.networkStringLocal subnet"10.0.0.0/24"
destination.networkStringRemote subnet"10.0.1.0/24"
tychon.crypto.protocolStringNoAlways IPSec for IPSec tunnel events"IPSec"
tychon.crypto.key_exchangeStringNoKey exchange group (e.g. modp14)"modp14"
tychon.crypto.cipherStringNoEncryption algorithm (e.g. AES-256-GCM)"AES-256-GCM"
tychon.crypto.macStringNoIntegrity algorithm (e.g. HMAC-SHA2-256)"HMAC-SHA2-256"
tychon.crypto.authStringNoAuthentication method (e.g. PSK, Certificate)"PSK"
tychon.crypto.pqc_vulnerableBooleanNoTrue when key exchange or cipher is vulnerable to a quantum computertrue
tychon.crypto.pqc_readinessStringNoCanonical readiness: ready, transitional, vulnerable, or critical"vulnerable"
tychon.crypto.quantum_riskStringNoCanonical risk: none, low, medium, high, or critical"high"

Note: Additional ipsec_tunnel.* fields are dynamically flattened from the IPSecTunnelInfo structure.

Quantum Readiness Assessment Fields

Local mode only. The quantum assessment produces three separate flat datasets — all routed to tychon.index="system-readiness" — so that NDJSON consumers (Elasticsearch, Splunk, NoSQL stores) can query each dimension without handling nested arrays.

Three datasets emitted:
  • quantum_assessment — one row per host: OS info, overall scores, hardware, network, crypto libraries, cost analysis totals, and OS-level cost breakdown
  • quantum_assessment.app_group — one row per application family: remediation cost by app family (labor hours, cost, tier)
  • quantum_assessment.critical_issue — one row per critical finding: severity, component, issue text, impact, resolution, blocking flag

Dataset: quantum_assessment — Top-Level Fields

Stable ID: SHA-256(quantum_readiness | hostname | observerID) truncated to 16 hex chars.

Field Type Description Example
quantum_readiness.overall_scoreIntegerOverall score (0–100)64
quantum_readiness.readiness_statusStringReadiness status label"Update Required"
quantum_readiness.ready_timelineStringEstimated timeline to readiness"2-6 months"
quantum_readiness.cost_analysis.total_labor_hoursFloatTotal estimated remediation labor hours48.0
quantum_readiness.cost_analysis.total_cost_usdFloatTotal estimated remediation cost (USD)9600.0
quantum_readiness.cost_analysis.os_categoryStringOS upgrade category (flattened from single-entry OS list)"Windows Server"
quantum_readiness.cost_analysis.os_upgrade_targetStringTarget OS version for PQC readiness"Windows Server 2025"
quantum_readiness.cost_analysis.os_total_cost_usdFloatOS upgrade total cost estimate (USD)2400.0

Additional sub-namespaces: quantum_readiness.hardware.* (22 fields), quantum_readiness.operating_system.* (16 fields), quantum_readiness.crypto_libraries.* (8+ fields), quantum_readiness.network.* (12 fields), quantum_readiness.upgrade_pathway.* (6 fields), quantum_readiness.compliance.* (4 fields).

Dataset: quantum_assessment.app_group — Per-App-Family Cost

One row per application family. Stable ID: SHA-256(quantum_assessment_app_group | hostname | appFamily | observerID) truncated to 16 hex chars.

Field Type Description Example
quantum_readiness.cost_analysis.app_familyStringApplication family name"Web Servers"
quantum_readiness.cost_analysis.tierStringRemediation tier (e.g. standard, complex)"standard"
quantum_readiness.cost_analysis.instance_countIntegerNumber of instances in this family3
quantum_readiness.cost_analysis.labor_hoursFloatEstimated labor hours for this family16.0
quantum_readiness.cost_analysis.labor_cost_usdFloatEstimated labor cost (USD) for this family3200.0
quantum_readiness.cost_analysis.total_cost_usdFloatTotal estimated cost (USD) for this family3200.0

Dataset: quantum_assessment.critical_issue — Per-Issue Findings

One row per critical finding. Stable ID: SHA-256(quantum_assessment_critical_issue | hostname | component | severity | issue | observerID) truncated to 16 hex chars.

Field Type Description Example
quantum_readiness.issue.severityStringIssue severity level"critical"
quantum_readiness.issue.componentStringAffected component name"TLS Configuration"
quantum_readiness.issue.issueStringIssue description"TLSv1.0 still enabled"
quantum_readiness.issue.impactStringBusiness / security impact"Vulnerable to POODLE and BEAST attacks"
quantum_readiness.issue.resolutionStringRecommended resolution action"Disable TLSv1.0 in server configuration"
quantum_readiness.issue.blockingBooleanTrue when this issue blocks PQC readinesstrue

Application Event Fields NEW

For events with event.dataset="tychon.application" (local mode with -cipherscanquick only). One row per (application × port) — each listening port on a process gets its own document. Applications with no detected ports emit a single app-level row with no port fields. The stable id is SHA-256(tychon_application | hostname | name | path | port) truncated to 16 hex chars, so an IIS cipher upgrade updates the existing document rather than creating a new one.

Field Type Description Example Full Standard Minimal
event.datasetStringAlways "tychon.application""tychon.application"
event.categoryStringAlways "process""process"
event.typeStringAlways "info""info"
process.nameStringProcess name"nginx"
process.pidIntegerProcess ID1234
process.executableStringFull path to the executable"/usr/sbin/nginx"
process.command_lineStringLaunch command line"nginx -g daemon off;"
process.working_directoryStringWorking directory of the process"/etc/nginx"
process.sourceStringHow the application was discovered: "process", "port", "connected", etc."process"
crypto_library_countIntegerCount of crypto libraries found for this application3
keystore_countIntegerCount of keystores found for this application1
in_memory_cert_countIntegerCount of in-memory certificates found for this application2
tychon.application.portIntegerListening port for this row. Absent if the application has no detected ports.443
tychon.application.protocol_detectedStringProtocol detected on this port (e.g. "https", "tls")"https"
tychon.application.preferred_protocolStringBest TLS protocol version negotiated on this port"TLSv1.3"
tychon.application.preferred_cipherStringPreferred cipher suite on this port"TLS_AES_256_GCM_SHA384"
tychon.application.preferred_key_exchangeStringPreferred key exchange group on this port"X25519MLKEM768"
tychon.application.quantum_readyBooleanTrue when this port's cipher configuration is quantum-readytrue
tychon.application.supported_protocolsStringComma-joined list of all TLS versions supported on this port"TLSv1.3, TLSv1.2"
tychon.application.supported_cipher_suitesStringComma-joined list of all cipher suites on this port"TLS_AES_256_GCM_SHA384, TLS_AES_128_GCM_SHA256"
tychon.application.connected_toStringComma-joined list of outbound TLS destinations (ip:port pairs). Only present when -scanconnected is active."10.0.1.5:443, 10.0.1.6:8443"
tychon.library.uses_opensslBooleanApplication links against OpenSSLtrue
tychon.library.openssl_versionStringOpenSSL version used by this application"OpenSSL 3.0.8"
tychon.library.openssl_pqc_statusStringPQC readiness of the OpenSSL version"not_supported"
tychon.library.uses_libresslBooleanApplication links against LibreSSLfalse
tychon.library.libressl_versionStringLibreSSL version used by this application"LibreSSL 3.7.2"
tychon.library.libressl_pqc_statusStringPQC readiness of the LibreSSL version"not_supported"
tychon.library.uses_apple_securityBooleanApplication uses Apple Security framework (macOS only)true
tychon.library.apple_security_pqc_statusStringPQC readiness of the Apple Security framework version"partial"

Note: All fields are flat scalars. Multi-value fields (supported protocols, cipher suites, key exchanges, connected destinations) are emitted as comma-joined strings for compatibility with all NDJSON consumers. The application-level quantum grade fields (tychon.application.quantum_grade.*) are on each port row.

Application Certificate Fields NEW

For events with event.dataset="tychon.app_certificate". Each event represents a certificate discovered in connection with a specific running application (process).

Field Type Description Example Full Standard Minimal
idStringUniversal document ID"appcert_abc123"
event.kindStringECS event kind"event"
process.nameStringOwning process name"nginx"
process.pidIntegerOwning process ID1234
x509.subject.distinguished_nameStringCertificate subject DN"CN=example.com,O=Acme"
x509.issuer.distinguished_nameStringCertificate issuer DN"CN=Root CA"
x509.not_beforeDateCertificate valid from"2024-01-01T00:00:00Z"
x509.not_afterDateCertificate valid until"2025-01-01T00:00:00Z"
x509.serial_numberStringCertificate serial number"01:23:45:67"
x509.public_key_algorithmStringPublic key algorithm"RSA"
x509.public_key_sizeIntegerPublic key size in bits2048
x509.signature_algorithmStringSignature algorithm"SHA256withRSA"
tychon.application.nameStringApplication name (mirrors process.name)"nginx"
tychon.application.executableStringFull path to the executable"/usr/sbin/nginx"
vulnerability.is_vulnerableBooleanCertificate is quantum-vulnerabletrue
vulnerability.risk_levelStringRisk level: low, medium, high, critical"high"

PQC Inventory Fields NEW

For events with event.dataset="tychon.pqc_inventory". Summary inventory events emitted at the end of a scan, grouping cryptographic assets by host.

Field Type Description Example Full Standard Minimal
idStringUniversal document ID"pqcinv_abc123"
event.kindStringECS event kind"event"
host.hostnameStringTarget hostname"server01.acme.local"
host.ipStringTarget IP address"192.168.1.10"
inventory.total_assetsIntegerTotal cryptographic assets discovered42
inventory.vulnerable_assetsIntegerCount of quantum-vulnerable assets28
inventory.pqc_ready_assetsIntegerCount of PQC-ready assets5
inventory.certificatesIntegerCount of certificates discovered15
inventory.keystoresIntegerCount of keystores discovered3
inventory.crypto_librariesIntegerCount of unique crypto libraries in use8
inventory.vpn_clientsIntegerCount of VPN clients detected1