ArcSight CEF format uses the Syslog message protocol as a transport mechanism.

The format of the message is:

Date-Time host CEF:Version|Device Vendor|Device Product|Device Version|
SignatureID|Name|Severity|Extension

Each message includes a common prefix consisting of the message date and time, the hostname of the server from which it was sent, and "CEF:" plus the version of CEF format. The remainder of the message is formatted into event-specific fields delimited by a bar ("|") character.

The following example illustrates a CEF-formatted message using Syslog output from App Control:

Sep 19 08:26:10 server3.mycorp.local CEF:0|VMware Carbon Black|App Control
|8.1.0.899|801|Execution block (unapproved file)|5| dst=10.0.0.1 
duser=NTAUTHORITY\SYSTEM msg=File 'itunessetup64.exe' has been blocked because it was unapproved.