In Common Event Format (CEF) how is the field version used in a real life application?

Question

I am writing a program that outputs logs in the common event format (CEF), while referring to this document, which breaks down how CEF should be composed. However, I am confused as to what they mean by "Version" in this particular part:

This is the example they show:

"Sep 19 08:26:10 host" is part of the header and not something I'm confused on. In the above example the version is 0.

The document states, "Version is an integer and identifies the version of the CEF format. Event consumers use this information to determine what the following fields represent". I would interpret it to mean that version is defined by the event consumer and producer, and used as some sort of identifier. However, I'm not sure if this is correct, and even if it is, I can't find a specific real life example of how it's used. This sample log and all the CEF logs I found when I searched for examples just use zero.

Does anyone know if my interpretation is correct and/or have a real life example of it being used?

score 1 · Accepted Answer · answered May 02 '18 at 20:46

For a long time there was only the one version, but there is a 1.0 now, which is used mainly to indicate that the event contains IPv6 addresses in the normal address fields.

0.1 - The Device Address, Source Address, Destination Address, and Agent Address fields will always be IPv4 or will be omitted. If there are any IPv6 addresses, they will be in Device Custom IPv6 Address fields. Bytes In and Bytes Out fields are limited to the size of an integer (up to 2^31-1).

1.0 - Any of the address fields can be either IPv4 or IPv6 and the Bytes In and Bytes Out fields can be long values (up to 2^63-1).

ref: SmartConnector_UserGuide.pdf - Date: April 16, 2018

In the CEF event the version doesn't use a decimal, so it's just CEF:0 and CEF:1.

In Common Event Format (CEF) how is the field version used in a real life application?

1 Answers1