diff --git a/cmd/genjson/main.go b/cmd/genjson/main.go
new file mode 100644
index 0000000..b4e5fea
--- /dev/null
+++ b/cmd/genjson/main.go
@@ -0,0 +1,17 @@
+package main
+
+import (
+	"encoding/json"
+	"github.com/LeakIX/l9format"
+	"os"
+)
+
+func main() {
+	event := &l9format.L9Event{}
+	event.Service.Software.Modules = append(event.Service.Software.Modules, l9format.SoftwareModule{})
+	encoder := json.NewEncoder(os.Stdout)
+	err := encoder.Encode(event)
+	if err != nil {
+		panic(err)
+	}
+}
diff --git a/go.mod b/go.mod
new file mode 100644
index 0000000..48bcfd7
--- /dev/null
+++ b/go.mod
@@ -0,0 +1,3 @@
+module github.com/LeakIX/l9format
+
+go 1.11
diff --git a/l9event.go b/l9event.go
new file mode 100644
index 0000000..eaf0382
--- /dev/null
+++ b/l9event.go
@@ -0,0 +1,83 @@
+package l9format
+
+import "time"
+
+type L9Event struct {
+	EventType   string `json:"event_type"`
+	EventSource      string `json:"event_source"`
+	EventPipeline    []string `json:"event_pipeline"`
+	Ip          string `json:"ip"`
+	Port 		string `json:"port"`
+	Transports   []string `json:"transport"`
+	Protocol    string `json:"protocol"`
+	Http        L9HttpEvent `json:"http"`
+	Summary     string `json:"summary"`
+	Time		time.Time `json:"time"`
+	SSL         L9SSLEvent `json:"ssl"`
+	Service     L9ServiceEvent `json:"service"`
+}
+
+type L9HttpEvent struct {
+	Root   string `json:"root"`
+	Url string `json:"url"`
+	Status int `json:"status"`
+	Length int64 `json:"length"`
+	Headers map[string]string `json:"header"`
+}
+
+type L9ServiceEvent struct {
+	Credentials ServiceCredentials `json:"credentials"`
+	Software Software `json:"software"`
+}
+
+type L9LeakEvent struct {
+	Severity string `json:"severity"`
+	Dataset DatasetSummary `json:"dataset"`
+}
+
+type L9SSLEvent struct {
+	Enabled bool `json:"enabled"`
+	JARM string  `json:"jarm"`
+	CypherSuite string `json:"cypher_suite"`
+	Version string `json:"version"`
+	Certificate Certificate `json:"certificate"`
+}
+
+type DatasetSummary struct {
+	Rows int64 `json:"rows"`
+	Files int64 `json:"files"`
+	Size int64  `json:"size"`
+}
+
+type Software struct {
+	Name            string            `json:"name"`
+	Version         string            `json:"version"`
+	OperatingSystem string            `json:"os"`
+	Modules         []SoftwareModule `json:"modules"`
+	Fingerprint     string            `json:"fingerprint"`
+}
+
+type SoftwareModule struct {
+	Name        string `json:"name"`
+	Version     string `json:"version"`
+	Fingerprint string `json:"fingerprint"`
+}
+type ServiceCredentials struct {
+	NoAuth   bool   `json:"noauth"`
+	Username string `json:"username"`
+	Password string `json:"password"`
+	Key      string `json:"key"`
+	Raw      []byte `json:"raw"`
+}
+
+type Certificate struct {
+	CommonName string     `json:"cn"`
+	Domains    []string   `json:"domain"`
+	Fingerprint string    `json:"fingerprint"`
+	KeyAlgo	string  `json:"key_algo"`
+	KeySize	int  `json:"key_size"`
+	IssuerName string `json:"issuer_name"`
+	NotBefore time.Time `json:"not_before"`
+	NotAfter time.Time `json:"not_after"`
+	Valid bool `json:"valid"`
+}
\ No newline at end of file
diff --git a/l9event.json b/l9event.json
index 1429afd..38a4905 100644
--- a/l9event.json
+++ b/l9event.json
@@ -1,46 +1,60 @@
 {
   "event_type": "leak",
-  "event_source":"DotEnvConfigPlugin",
+  "event_source": "DotEnvConfigPlugin",
   "event_pipeline": ["ip4scout", "l9tcpid", "l9explore", "DotEnvConfigPlugin"],
-  "host": "website.example.com",
   "ip": "127.0.0.1",
   "port": "8080",
   "transport": ["tcp","tls","http"],
   "protocol": "https",
   "http": {
-    "root": "/path1",
+    "root": "/site1",
+    "url": "/site1/.env",
     "status": 200,
-    "url": "/path1/.env",
-    "length": 2004,
+    "length": 12423,
     "header": {
-      "Server": "Apache"
+      "Server": "Apache",
+      "Content-Type": "application/text"
     }
   },
-  "ssl" : {
+  "summary": "Env config file found:\n\n XYZ=\n",
+  "time": "0001-01-01T00:00:00Z",
+  "ssl": {
     "enabled": true,
-    "jarm": "05d10d20d21d20d05c05d10d05d20da23a7a927f270a23608b3c7a72999cab",
-    "certificate" : {
-      "cn": "*.example.com",
-      "domain" : ["*.example.net"]
+    "jarm": "29d29d00029d29d21c41d41d00041dba71dd2df645850cf5f0b5af18a5fdcf",
+    "cypher_suite": "TLS_AES_128_GCM_SHA256",
+    "version": "TLSv1.3",
+    "certificate": {
+      "cn": "example.com",
+      "domain": ["site.example.com", "admin.example.com"],
+      "fingerprint": "e998e371dd4678c9113e196bc5e4a5e901455750c6dbc9985c84403b91055260",
+      "key_algo": "RSA",
+      "key_size": 2048,
+      "issuer_name": "Rapid SSL",
+      "not_before": "0001-01-01T00:00:00Z",
+      "not_after": "0001-01-01T00:00:00Z",
+      "valid": false
     }
   },
-  "leak": {
-    "summary": "Index xy , index z ,ectt",
-    "date": "2020-10-09 11:12:12.123",
-    "severity": "high",
-    "plugin": "ElasticsearchExplore",
-    "dataset": {
-      "rows": 0,
-      "files": 0,
-      "size" : 0,
-      "collections": 0,
-      "infected": true
-    }
-  },
-  "service" : {
+  "service": {
+    "credentials": {
+      "noauth": true,
+      "username": "",
+      "password": "",
+      "key": "",
+      "raw": null
+    },
     "software": {
-      "name": "Elasticsearch",
-      "version": "1.4.4"
+      "name": "Apache",
+      "version": "2.2.4",
+      "os": "Ubuntu",
+      "modules": [
+        {
+          "name": "PHP",
+          "version": "4.4.2",
+          "fingerprint": "php-4-4-2"
+        }
+      ],
+      "fingerprint": "apache-2-2-4"
     }
   }
 }