Advisory: Support Portal Maintenance. Login is currently unavailable, more info available here.

In Common Event Format (CEF) how is the field version used in a real life application?

I am writing a program that outputs logs in the common event format (CEF), while referring to this document which breaks down how CEF ( Arcsight )should be composed. However, I am confused as to what they mean by "Version" in this particular part:

CEF:Version|Device Vendor|Device Product|Device Version|Signature ID|Name|Severity|Extension

This is the example they show:

Sep 19 08:26:10 host CEF:0|security|threatmanager|1.0|100|worm successfully stopped|10|src= dst= spt=1232

"Sep 19 08:26:10 host" is part of the header and not something I'm confused on. In the above example the version is 0.

The document states, "Version is an integer and identifies the version of the CEF format. Event consumers use this information to determine what the following fields represent". I would interpret it to mean that version is defined by the event consumer and producer, and used as some sort of identifier. However, I'm not sure if this is correct, and even if it is, I can't find a specific real life example of how it's used. This sample log and all the CEF logs I found when I searched for examples just use zero.

Does anyone know if my interpretation is correct and/or have a real life example of it being used?

Parents Reply Children
No Data