Frequently asked Questions
Report Data Format
By default the events are formatted in JSON. The reason this format is used is because it is a widely used format and many languages support JSON natively today. The key-value nature allows to contain events of different nature within one report or file. It also allows to include additional information where available, like the response header of a scan or the hostname. This benefit comes at the cost of increased file size, but this is nowadays a very small price to pay compared to the additional benefits.
Column based formats like CSV have the drawback that every event contained in the document must match the fields specified in the header. While it is theoretically possible to specify all the different keys in the header and leave most of the values empty, in reality this is not very practical. To include all the differnt information the header would have to specify several hundred columns.
Therefore, it is necessary to limit the number of columns to the most relevant and significant fields.
The following data formats for the reported events are currently supported:
- JSON (default) https://en.wikipedia.org/wiki/JSON
The events are contained in a compact JSON format (one event per line), which is best suited for machine processing. To view these events we recommend using a JSON-aware text editor and that is able to beautify the data, i.e. splitting up the JSON objects into multiple lines.
- JSON-formatted https://en.wikipedia.org/wiki/JSON
The events are contained in a multiline JSON format. To make it easier to read the data, the events are split into multiple lines.
- CSV https://en.wikipedia.org/wiki/Comma-separated_values
The events are contained as comma-separated values, where each line is an event.
CSV is a fixed column based format, therefore it is necessary to select the most significant fields that will be included in the report.
SWITCH-CERT recommends to use the JSON format if possible.
Additionally, the following options are available
- Report location
- attachment (default): The events are attached as a file to the email.
- inline: The events are written inline in the email message, no compression available.
- Report compression
- compressed (default): The attachment is compressed using zip. Zip is used because it by default supported by most platforms.
- uncompressed: The attachment as is.
Contact SWITCH-CERT by replying on the report you received if you want to change your preferences.
Feedback on how the reports can be improved is appreciated. This is especially true for broken formats, wrong headers etc.
Regarding new features, like other formats, additional options or new distribution channels input is welcome. This does not guarantee that it will be implemented. There can be many different reasons for a feature request to be rejected, like requiring major changes or simply a niche demand.
If you have such a request please describe the feature, the use case and the benefits, making it easier to understand the need for it. Requests failing to show sufficient novelty might be dropped directly.