Cerbi | Logging Governance for .NET

Log governance for .NET — stop it at the source

Cerbi enforces logging policy inside your .NET application — before any log event reaches a pipeline, storage platform, or observability vendor.

CerbiStream is a NuGet-based .NET runtime SDK that governs log events before they reach any downstream sink. CerbiShield is the tenant-hosted control plane for rules, visibility, and audit.

One-line setup
No pipeline migration
Works with Serilog, MEL, and NLog

See How It Works Start Free Trial

Microsoft Partner (ISV)

Azure Marketplace

Harvard i-Lab

63.1K+NuGet Downloads

29Packages

Works withMELSerilogNLog

14-day free trial

The Cerbi model

CerbiStream

Runtime SDK

NuGet package — no agents, no infra
Runs inside your application process
Validates and governs logs before emission
Works with Serilog, MEL, and NLog
Zero network calls on the hot path

Install-Package CerbiStream

CerbiShield

Governance Control Plane

Tenant-hosted dashboard — your infrastructure
Rule management, violations, and audit trail
Governance scoring and reporting
Async — never on the hot path
Available on Azure Marketplace

Azure Marketplace

Enforcement inline.Scoring and oversight out of band.

Ifyou'rerelyingoningestmasking,you'realreadytoolate.

Cerbi — governance at the source

[INFO] 2024-03-14 09:12:04.331 CerbiStream.Router — field:userId value:redacted

[WARN] 2024-03-14 09:12:04.887 CerbiStream.Policy — schema violation: missing required field "correlationId"

[INFO] 2024-03-14 09:12:05.102 CerbiStream.Sink — event routed to: Splunk (filtered), DataDog (full)

[DEBUG] 2024-03-14 09:12:05.449 CerbiShield.Guard — sensitive field detected: "password" — blocked

[INFO] 2024-03-14 09:12:05.991 CerbiStream.Router — throughput: 4,212 events/sec

The pipeline is backwards

You can't fix bad logs after they've been ingested.

Today

AppLog emitted

LogsData written

StorageAlready stored

DetectionRisk found

CleanupToo late

Data is already stored.

Risk already exists.

Cost already incurred.

With Cerbi

AppLog emitted

CerbiGoverned at sourceSource control

StorageOnly clean data

DashboardsConsistent + trustworthy

Interactive Demo

See Cerbi in the Log Path

Pick a scenario, configure governance rules, and watch what gets sanitized, blocked, and routed asynchronously — before a single byte reaches your observability platform.

Mode

Rule Set

Redact sensitive fieldsRequire correlationIdBlock forbidden fieldsEmit violation events

Input Log Event

Sensitive Data Leak

{
  "timestamp": "2025-04-12T14:32:11.042Z",
  "level": "Information",
  "message": "Payment processed",
  "correlationId": "ord-8821-xk",
  "userId": "u_4492",
  "ssn": "382-91-0047",
  "cardNumber": "4111-1111-1111-1111",
  "cvv": "392",
  "amount": 149.99,
  "service": "payment-api",
}

Runtime Flow

Application Boundary

Logger

.NET App

Cerbi

Governance

hot path

Sanitized Log

Downstream

Splunk / Datadog

Azure Monitor

Downstream Sanitized Log

// Run example to see output

Governance Result

// Governance score, violations, and async routing appear here

This demo runs entirely in-browser. No log data is transmitted. Behavior reflects Cerbi's in-process governance engine for .NET.

Risk & compliance

Sensitive data in logs creates exposure

PHI, PII, credentials, and tokens written to log sinks become a liability the moment they are ingested — regardless of who controls the destination.

Detection after ingestion is too late

Scrubbing sensitive data from Splunk or Datadog after the fact is operationally expensive and may not satisfy auditors. The log is already stored, indexed, and potentially replicated.

Cerbi prevents bad behavior before storage

Governance runs at emission time — before any network call, before any sink, before any pipeline. If a rule is violated, it is blocked or sanitized in-process.

Cerbi does not provide legal or compliance advice. Consult your compliance team for regulatory obligations specific to your industry.

Adoption

Adopt in minutes.

CerbiStream drops into your existing .NET logging setup. No migration. No new infrastructure on the hot path.

Full setup guide

Free trial

14 days · 5M governed events

No credit card required. Full platform access.

View trial details

Install from NuGetInstall-Package CerbiStream

Add one line to your logger.UseCerbi(cfg => cfg.LoadProfile("governance.json"))

Store governance profiles as codegovernance.json → committed, versioned, reviewed

Ship — nothing else changesNo agents · No pipeline rewrite · No sink replacement

Why teams adopt Cerbi

Prevent data leakage

Stop sensitive data at the source instead of masking later. PHI, PII, tokens, and credentials are blocked before they ever reach a downstream platform.

Improve audit readiness

Logs are compliant by default, not retroactively fixed. Every log event is governed at creation time, giving you a clean, defensible audit trail.

Reduce observability cost

Filter noise before ingestion. Blocking irrelevant events and redundant fields before they leave the application reduces Splunk and Datadog ingestion spend.

Standardize logging behavior

One policy across all services and teams. Required fields are enforced, schema violations are flagged, and logging behavior is consistent across every service.

Who this is for

Built for the teams who own what gets logged.

Cerbi is a fit when logging behavior needs to be a controlled, auditable property of the platform — not a per-team decision made at the call site.

Platform engineering

You own the internal developer platform or shared logging infrastructure. You need consistent policy enforcement across many services without mandating call-site rewrites or deploying new pipeline components.

Security and compliance

You are responsible for preventing PHI, PII, credentials, and sensitive fields from reaching observability platforms. You need evidence that governance is applied at emission, not retroactively cleaned downstream.

Architecture leadership

You are designing or auditing logging strategy across a distributed .NET estate. You want governance that is version-controlled, policy-driven, and compatible with Serilog, MEL, and NLog without lock-in.

Scope

What Cerbi is not.

Clarity on scope is part of a credible product. Cerbi does one thing well: governs logging behavior at the source.

Not a SIEM

Cerbi does not collect, correlate, or alert on security events. It governs what is written to logs at the source. Your SIEM receives cleaner, more consistent data as a result.

Not a log storage platform

Cerbi has no log storage. Your existing destinations — Splunk, Datadog, Azure Monitor, Elastic, Seq — remain unchanged. Cerbi sits before them, not instead of them.

Not a replacement for your observability stack

Cerbi does not replace Datadog, New Relic, Grafana, or any observability vendor. It makes the data those platforms receive more accurate, consistent, and policy-compliant.

Not a log router or transport layer

Cerbi does not proxy or relay log traffic. There are no additional network hops on the hot path. CerbiStream is in-process; CerbiShield is async and out of band.

What it is

A .NET runtime SDK that governs log events before emission
A governance control plane for policy management and audit
A source-side filter that reduces ingestion noise and cost
A compliance tool that enforces schema at the point of creation

Understand why bad logging behavior is systemic, and what it costs.

The problems aren't random. Every team runs into the same patterns. See the full picture.

Why Cerbi

Your observability stack assumes your logs are correct.They're not.