CEF standard says that the version field is mandatory, so "+"es are not an error.
Header Information
CEF uses syslog as a transport mechanism. It uses the following format, comprised of a syslog prefix , a header and an extension , as shown below:
Jan 18 11:07:53 host CEF:Version|Device Vendor|Device Product|Device Version|Signature ID|Name|Severity|[Extension]
The CEF:Version portion of the message is a mandatory header. The remainder of the message is formatted using fields delimited by a pipe ("|") character
...
... View more