EventLog Output Format - TYCHON Quantum Readiness Documentation

Overview

The EventLog format writes scan results directly to the Windows Event Log, enabling seamless integration with Windows-based SIEM systems and enterprise monitoring solutions.

Platform Support

• Windows: Native Event Log API (Application log)
• macOS: Unified logging system (visible via log show commands)
• Linux: System log (rsyslog/journald)
• Event Source: "TYCHON Quantum Readiness"
• New: VPN client and IPSec tunnel events NEW

Usage

`.\certscanner-windows-amd64.exe -mode local `
  -outputformat eventlog

Requires Administrator privileges

# Intel Macs
./certscanner-darwin-amd64 -mode local -outputformat eventlog

# Apple Silicon Macs  
./certscanner-darwin-arm64 -mode local -outputformat eventlog

Events written to unified logging system

./certscanner-linux-x64 -mode local -outputformat eventlog

Events written to system log (journald/rsyslog)

Event Log Structure

Event Properties

Property	Value	Description
Source	TYCHON Quantum Readiness	Application event source
Log	Application	Windows Application Event Log
Event Type	Information	Informational event level
Event ID	1001-1004	Different IDs for each asset type
Message	JSON Data	Complete JSON with all scan data

Event ID Mapping

Event ID	Event Type	Description
1001	Cipher Discovery	TLS cipher suite discovered
1002	Certificate Discovery	Filesystem certificate found
1003	Library Discovery	Crypto library in memory
1004	Archive Discovery	Outlook archive file found
1005	Quantum Readiness Assessment	System quantum readiness evaluation (local mode only) NEW

Event Message JSON Schema

Each event log entry contains a complete JSON message with scan data. To ensure reliable delivery to system logs, verbose fields are automatically removed including: raw certificate data (raw_pem, signature_hex, rsa_modulus_hex, raw_der_base64), detailed certificate extensions (basic_constraints, subject_alternative_names), non-essential timestamps, and verbose process details.

⚠️ Message Optimization

To ensure reliable delivery to system logs, verbose certificate fields are automatically removed before logging. All essential certificate metadata is preserved for analysis.

Complete Schema Reference

All event types share common fields with type-specific additions. Optional fields marked with * may not be present in all events.

Field Path	Type	Events	Description
@timestamp	string	All	ISO 8601 timestamp
tychon.type	string	All	Event type: cipher, filesystem, library, java_crypto_library, archivefile
tychon.scan_mode	string	All	Scan mode used
tychon.scan_timestamp	timestamp	All	When scan was performed
tychon.scanner_version	string	All	Scanner version number
tychon.host.machine_serial_number*	string	All	Machine serial number
tychon.active*	boolean	All	Whether asset is currently active
tychon.last_seen*	timestamp	All	Last seen timestamp (when not active)
certificate.is_file	string	All	"true" or "false" - whether cert is file-based
tags*	array	All	User-defined tags
Cipher Events (ID 1001) - Network TLS connections
tychon.pqc_vulnerable*	boolean	1001	Whether cipher is post-quantum vulnerable
tychon.cipher.detail.security*	string	1001	Security level (low, medium, high)
tychon.cipher.detail.is_quantum_ready*	boolean	1001	Post-quantum readiness
tychon.cipher.detail.algo.auth*	string	1001	Authentication algorithm
tychon.cipher.is_preferred*	boolean	1001	Whether cipher is server's preferred choice
server.address	string	1001	Target server address
server.ip	string	1001	Target server IP address
server.port	integer	1001	Target server port
service.protocol.type	string	1001	Protocol type (TLS)
service.protocol.name	string	1001	Protocol version name
tls.cipher	string	1001	TLS cipher suite name
tls.version_protocol	string	1001	TLS protocol name
tls.version	string	1001	TLS version number
X.509 Certificate Fields - Present in events 1001, 1002
x509.version_number	integer	1001,1002	X.509 certificate version
x509.serial_number	string	1001,1002	Certificate serial number
x509.signature_algorithm	string	1001,1002	Signature algorithm used
x509.issuer.common_name	string	1001,1002	Issuer common name
x509.issuer.country	string	1001,1002	Issuer country code
x509.issuer.locality	string	1001,1002	Issuer locality
x509.issuer.organization	string	1001,1002	Issuer organization
x509.issuer.organizational_unit	string	1001,1002	Issuer organizational unit
x509.issuer.state_or_province	string	1001,1002	Issuer state or province
x509.subject.*	string	1001,1002	Same fields as issuer for subject
x509.not_before	timestamp	1001,1002	Certificate valid from date
x509.not_after	timestamp	1001,1002	Certificate expiration date
x509.is_valid	boolean	1001,1002	Whether certificate is currently valid
x509.public_key_algorithm	string	1001,1002	Public key algorithm
x509.public_key_size	integer	1001,1002	Public key size in bits
x509.is_self_signed	boolean	1001,1002	Whether certificate is self-signed
x509.hash	string	1001,1002	SHA256 fingerprint
Process Information - Present in events 1001, 1003
process.pid	integer	1001,1003	Process ID
process.name	string	1001,1003	Process name
process.executable	string	1001,1003	Executable file path
File Information - Present in events 1001, 1002, 1003, 1004
file.path	string	All	Full file path
file.name	string	All	File name only
file.size*	integer	1001,1002,1004	File size in bytes
file.mtime*	timestamp	1001,1002,1004	Last modification time
file.hash.sha1*	string	1001,1002,1004	SHA1 hash
file.hash.sha256*	string	1001,1002,1004	SHA256 hash
PE/Library Information - Present in events 1001, 1003
pe.file_version*	string	1001,1003	File version from PE header
pe.product_version*	string	1001,1003	Product version
Archive Information - Present in event 1004
archive.encrypted	boolean	1004	Whether archive is encrypted
archive.type	string	1004	Archive type (PST, OST)
Quantum Readiness Assessment - Present in event 1005 NEW
quantum.assessment_id	string	1005	Unique assessment identifier
quantum.system_type	string	1005	System classification (workstation, server)
quantum.criticality_level	string	1005	System criticality level
quantum.overall_score	integer	1005	Total quantum readiness score (0-100)
quantum.readiness_status	string	1005	Overall readiness status
quantum.hardware_score	integer	1005	Hardware assessment score (0-40)
quantum.os_score	integer	1005	Operating system score (0-30)
quantum.crypto_score	integer	1005	Crypto library score (0-25)
quantum.network_score	integer	1005	Network readiness score (0-5)
quantum.recommendations	string	1005	Comma-separated actionable recommendations
quantum.timeline	string	1005	Estimated timeline to quantum readiness
archive.type	string	1004	Archive type (e.g., outlook_pst)
archive.encryption.enabled	boolean	1004	Whether archive is encrypted
archive.encryption.type	string	1004	Encryption type
archive.encryption.strength	string	1004	Encryption strength
archive.format.version	string	1004	Archive format version

Cipher Event Schema (Event ID 1001) - Cross-Platform

{
  "@timestamp": "2025-09-09T13:00:17.000Z",
  "tychon": {
    "type": "cipher",
    "scan_mode": "local", 
    "scan_timestamp": "2025-09-09T13:00:17.000Z",
    "scanner_version": "1.0.43",
    "host": {
      "machine_serial_number": "ABC123DEF456"
    },
    "pqc_vulnerable": true,
    "cipher": {
      "detail": {
        "security": "high",
        "is_quantum_ready": false,
        "algo": {
          "auth": "RSA"
        }
      },
      "is_preferred": true
    },
    "certificate": {
      "validity": {
        "duration_days": 365
      },
      "public_key": {
        "rsa_exponent": 65537
      }
    },
    "active": true,
    "last_seen": "2025-09-09T12:30:17.000Z"
  },
  "certificate": {
    "is_file": "false"
  },
  "server": {
    "address": "192.168.1.10",
    "ip": "192.168.1.10", 
    "port": 443
  },
  "service": {
    "protocol": {
      "type": "TLS",
      "name": "TLSV1_3"
    }
  },
  "tls": {
    "cipher": "TLS_AES_256_GCM_SHA384",
    "version_protocol": "TLS",
    "version": "1.3"
  },
  "x509": {
    "version_number": 3,
    "serial_number": "12345678901234567890",
    "signature_algorithm": "SHA256-RSA",
    "issuer": {
      "common_name": "Company Internal CA",
      "country": "US",
      "organization": "Company Inc"
    },
    "subject": {
      "common_name": "internal.company.com",
      "country": "US", 
      "organization": "Company Inc"
    },
    "not_before": "2024-09-09T00:00:00.000Z",
    "not_after": "2025-09-09T23:59:59.000Z",
    "is_valid": true,
    "public_key_algorithm": "RSA",
    "public_key_size": 2048,
    "is_self_signed": false,
    "hash": "ab:cd:ef:12:34:56:78:90:ab:cd:ef:12:34:56:78:90:ab:cd:ef:12:34:56:78:90:ab:cd:ef:12"
  },
  "process": {
    "pid": 1234,
    "name": "firefox",
    "executable": "/usr/bin/firefox"
  },
  "file": {
    "path": "/usr/bin/firefox",
    "name": "firefox", 
    "size": 2097152,
    "mtime": "2024-08-20T14:15:00.000Z",
    "hash": {
      "sha1": "da39a3ee5e6b4b0d3255bfef95601890afd80709",
      "sha256": "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855"
    }
  },
  "pe": {
    "file_version": "127.0.6533.120",
    "product_version": "127.0.6533.120"
  },
  "tags": ["production", "web-servers"]
}

Filesystem Certificate Schema (Event ID 1002)

{
  "@timestamp": "2025-09-09T13:00:17.000Z",
  "tychon": {
    "type": "filesystem",
    "scan_mode": "local",
    "scan_timestamp": "2025-09-09T13:00:17.000Z",
    "scanner_version": "1.0.43",
    "host": {
      "machine_serial_number": "ABC123DEF456"
    },
    "active": true
  },
  "certificate": {
    "is_file": "true"
  },
  "file": {
    "path": "/etc/ssl/certs/ca-certificate.crt",
    "name": "ca-certificate.crt",
    "size": 4096,
    "mtime": "2024-09-01T10:00:00.000Z",
    "hash": {
      "sha1": "da39a3ee5e6b4b0d3255bfef95601890afd80709",
      "sha256": "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855"
    }
  },
  "x509": {
    "version_number": 3,
    "serial_number": "98765432109876543210",
    "signature_algorithm": "SHA256-RSA",
    "subject": {
      "common_name": "Company Root CA",
      "country": "US",
      "organization": "Company Inc"
    },
    "issuer": {
      "common_name": "Company Root CA", 
      "country": "US",
      "organization": "Company Inc"
    },
    "not_before": "2020-01-01T00:00:00.000Z",
    "not_after": "2030-01-01T23:59:59.000Z",
    "is_valid": true,
    "public_key_algorithm": "RSA",
    "public_key_size": 4096,
    "is_self_signed": true,
    "hash": "12:34:56:78:90:ab:cd:ef:12:34:56:78:90:ab:cd:ef:12:34:56:78:90:ab:cd:ef:12:34:56:78"
  }
}

Crypto Library Schema (Event ID 1003)

{
  "@timestamp": "2025-09-09T13:00:17.000Z",
  "tychon": {
    "type": "library",
    "scan_mode": "local",
    "scan_timestamp": "2025-09-09T13:00:17.000Z",
    "scanner_version": "1.0.43",
    "host": {
      "machine_serial_number": "ABC123DEF456"
    },
    "active": true
  },
  "certificate": {
    "is_file": "true"
  },
  "process": {
    "pid": 5678,
    "name": "java",
    "executable": "/usr/bin/java"
  },
  "file": {
    "path": "/usr/lib/jvm/java-11-openjdk/lib/security/bcprov.jar",
    "name": "bcprov.jar"
  },
  "pe": {
    "file_version": "1.70.0.0",
    "product_version": "1.70"
  }
}

Archive File Schema (Event ID 1004)

{
  "@timestamp": "2025-09-09T13:00:17.000Z",
  "tychon": {
    "type": "archivefile",
    "scan_mode": "local", 
    "scan_timestamp": "2025-09-09T13:00:17.000Z",
    "scanner_version": "1.0.43",
    "host": {
      "machine_serial_number": "ABC123DEF456"
    },
    "active": true
  },
  "certificate": {
    "is_file": "true"
  },
  "file": {
    "path": "/home/john/Documents/email/archive.mbox",
    "name": "archive.mbox",
    "size": 2147483648,
    "mtime": "2025-09-08T15:30:00.000Z",
    "hash": {
      "sha1": "da39a3ee5e6b4b0d3255bfef95601890afd80709",
      "sha256": "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855"
    }
  },
  "archive": {
    "type": "mbox",
    "encryption": {
      "enabled": true,
      "type": "password_protected",
      "strength": "medium"
    },
    "format": {
      "version": "2019"
    }
  }
}

SIEM Integration

Windows Event Forwarding

• WEF Compatible: Standard Windows Event Log format
• SIEM Ready: Pure JSON in message field
• No Timestamps: Clean JSON without prefixes
• ECS Compliant: Elasticsearch Common Schema fields

Enterprise Monitoring

• Splunk: Direct Windows Event Log ingestion
• Microsoft Sentinel: Azure Event Log connector
• IBM QRadar: Windows Event Log DSM
• LogRhythm: Native Event Log parsing

Cross-Platform Automated Deployment

# Windows Scheduled Task
schtasks /create /tn "TYCHON-PQC-Scanner-Hourly" /tr "C:\Tools\certscanner.exe -mode local -outputformat eventlog" /sc hourly

# PowerShell automation
$scannerPath = "C:\Tools\certscanner.exe"
Start-Process -FilePath $scannerPath -ArgumentList "-mode local -outputformat eventlog" -Wait

# macOS LaunchDaemon (system-wide)
sudo cp com.tychon.pqc-scanner.plist /Library/LaunchDaemons/
sudo launchctl load /Library/LaunchDaemons/com.tychon.pqc-scanner.plist

# User-level LaunchAgent
cp com.tychon.pqc-scanner.plist ~/Library/LaunchAgents/
launchctl load ~/Library/LaunchAgents/com.tychon.pqc-scanner.plist

# Linux Cron Job
# Add to crontab for hourly execution
0 * * * * /usr/local/bin/certscanner -mode local -outputformat eventlog

# Systemd Timer (preferred for modern Linux)
sudo cp tychon-pqc-scanner.service /etc/systemd/system/
sudo cp tychon-pqc-scanner.timer /etc/systemd/system/
sudo systemctl enable --now tychon-pqc-scanner.timer

Viewing Events

Platform-Specific Event Viewing

1. Open Windows Event Viewer
2. Navigate to: Windows Logs → Application
3. Filter by Source: "TYCHON-PQC-Scanner"
4. View JSON data in the event details

1. Open Console.app or use command line
2. Filter by Process: "tychon-pqc-scanner"
3. Use unified log commands for structured queries
4. JSON data appears in log messages

1. Use journalctl or syslog viewers
2. Filter by identifier: "tychon-pqc-scanner"
3. Parse structured JSON from log entries
4. Integration with rsyslog/syslog-ng for forwarding

Platform-Specific Queries

# Get all TYCHON-PQC-Scanner events
Get-WinEvent -FilterHashtable @{LogName='Application'; ProviderName='TYCHON-PQC-Scanner'}

# Get cipher discovery events (ID 1001)
Get-WinEvent -FilterHashtable @{LogName='Application'; ProviderName='TYCHON-PQC-Scanner'; ID=1001}

# Export to JSON for analysis
Get-WinEvent -FilterHashtable @{LogName='Application'; ProviderName='TYCHON-PQC-Scanner'} | 
  Select-Object TimeCreated, Id, @{Name='Message';Expression={$_.Message}} | 
  ConvertTo-Json -Depth 10 | Out-File -FilePath "tychon-pqc-scanner-events.json"

# View recent TYCHON EventLog entries (recommended for SIEM)
log show --predicate 'eventMessage CONTAINS "TYCHON_SCAN"' --last 1h

# View all TYCHON events with syslog formatting
log show --style syslog --last 1h | grep "TYCHON_SCAN"

# Monitor TYCHON events in real-time
log stream --predicate 'eventMessage CONTAINS "TYCHON_SCAN"'

# View TYCHON events by logger process (all entries)
log show --predicate 'process == "logger" AND eventMessage CONTAINS "tychon-pqc-scanner"' --last 24h

# Export TYCHON events to file for analysis
log show --predicate 'eventMessage CONTAINS "TYCHON_SCAN"' --last 7d --style ndjson > tychon-events.ndjson

# View TYCHON events using journalctl
sudo journalctl -t tychon-pqc-scanner --since "1 hour ago"

# Search for specific scan events
sudo journalctl -t tychon-pqc-scanner -g "TYCHON_SCAN" --since today

# Monitor TYCHON events in real-time
sudo journalctl -t tychon-pqc-scanner -f

# Export recent events to file
sudo journalctl -t tychon-pqc-scanner --since "24 hours ago" --no-pager > tychon-events.log

Troubleshooting

Common Issues

Issue: "Access Denied" when writing to Event Log
Solution: Run as Administrator - EventLog writes require elevated privileges

Issue: Events show "Incorrect function" in general tab
Solution: This is expected - the detailed JSON data is in the Details tab

Issue: No events appear in Event Viewer
Solution: Check that scan found assets to report (use -logfile for debugging)

Issue: macOS "message too long" error
Solution: Messages are automatically truncated - check for truncation warnings in syslog

Issue: macOS EventLog messages truncated due to size limits
Solution: Messages over 8KB are automatically truncated - look for truncation notices in log output

Best Practices

• Configure scheduled scans using platform-appropriate methods (Windows Task Scheduler, macOS LaunchDaemons, Linux cron/systemd)
• Set up log forwarding for centralized collection (WEF, syslog, journald forwarding)
• Use specific tags to categorize different scan types and environments
• Monitor log storage and configure appropriate retention policies per platform

Enterprise Integration Examples

Cross-Platform Scheduled Monitoring

REM Create scheduled task for daily crypto monitoring
schtasks /create /tn "TYCHON-PQC-Scanner-Daily" ^
  /tr "C:\Security\certscanner.exe -mode local -scanfilesystem -scanmemory -outputformat eventlog -tags daily-scan" ^
  /sc daily /st 02:00 /ru SYSTEM

REM Create task for network monitoring
schtasks /create /tn "TYCHON-PQC-Scanner-Network" ^
  /tr "C:\Security\certscanner.exe -scanconnected -outputformat eventlog -tags network-monitoring" ^
  /sc hourly /ru SYSTEM

<!-- /Library/LaunchDaemons/com.tychon.pqc-scanner.daily.plist -->
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>Label</key>
    <string>com.tychon.pqc-scanner.daily</string>
    <key>ProgramArguments</key>
    <array>
        <string>/usr/local/bin/certscanner</string>
        <string>-mode</string>
        <string>local</string>
        <string>-scanfilesystem</string>
        <string>-scanmemory</string>
        <string>-outputformat</string>
        <string>eventlog</string>
        <string>-tags</string>
        <string>daily-scan</string>
    </array>
    <key>StartCalendarInterval</key>
    <dict>
        <key>Hour</key>
        <integer>2</integer>
        <key>Minute</key>
        <integer>0</integer>
    </dict>
</dict>
</plist>

# /etc/systemd/system/tychon-pqc-scanner-daily.service
[Unit]
Description=TYCHON PQC Scanner Daily Crypto Monitoring
After=network.target

[Service]
Type=oneshot
ExecStart=/usr/local/bin/certscanner -mode local -scanfilesystem -scanmemory -outputformat eventlog -tags daily-scan
User=root

# /etc/systemd/system/tychon-pqc-scanner-daily.timer
[Unit]
Description=Run TYCHON PQC Scanner daily
Requires=tychon-pqc-scanner-daily.service

[Timer]
OnCalendar=daily
Persistent=true

[Install]
WantedBy=timers.target

# Enable with: sudo systemctl enable --now tychon-pqc-scanner-daily.timer

SIEM Query Examples

-- Splunk: Find PQC-vulnerable ciphers (Cross-Platform)
index=* (source="WinEventLog:Application" SourceName="TYCHON-PQC-Scanner") OR (sourcetype="syslog" "tychon-pqc-scanner") EventCode=1001
| spath input=Message 
| search "cipher.intel.pqc_ready"=false
| table _time, target_host.address, cipher.name, cipher.intel.security_level

-- Microsoft Sentinel: Certificate expiration monitoring (Cross-Platform)
Event
| where (Source == "TYCHON-PQC-Scanner" and EventID == 1002) or (SyslogTag == "tychon-pqc-scanner" and EventID == 1002)
| extend CertData = parse_json(RenderedDescription)
| where todatetime(CertData.certificate.not_after) < now() + 30d
| project TimeGenerated, Computer, CertData.certificate.subject.common_name, CertData.certificate.not_after