Logging Governance: Control Layer for .NET

Your observability stack
assumes your logs are correct.
They're not.

Cerbi gives you control over logging behavior at the source, before logs reach your pipelines, storage, or dashboards.

CerbiStream is a NuGet-based .NET runtime SDK that governs log events before they reach any downstream sink. CerbiShield is the tenant-hosted control plane for rules, visibility, and audit.

One-line setup
No pipeline migration
Works with Serilog, MEL, and NLog

See How It Works Request Preview Access

Microsoft Partner (ISV)

Azure Marketplace

Harvard i-Lab

62.7K+NuGet Downloads

29Packages

Works withMELSerilogNLog

The Cerbi model

Two parts, one control model.

CerbiStream

Runtime SDK

NuGet package — no agents, no infra
Runs inside your application process
Validates and governs logs before emission
Works with Serilog, MEL, and NLog
Zero network calls on the hot path

Install-Package CerbiStream

CerbiShield

Governance Control Plane

Tenant-hosted dashboard — your infrastructure
Rule management, violations, and audit trail
Governance scoring and reporting
Async — never on the hot path
Available on Azure Marketplace

Azure Marketplace

Enforcement inline.Scoring and oversight out of band.

Ifyou'rerelyingoningestmasking,you'realreadytoolate.

Cerbi principle — governance at the source

[INFO] 2024-03-14 09:12:04.331 CerbiStream.Router — field:userId value:redacted

[WARN] 2024-03-14 09:12:04.887 CerbiStream.Policy — schema violation: missing required field "correlationId"

[INFO] 2024-03-14 09:12:05.102 CerbiStream.Sink — event routed to: Splunk (filtered), DataDog (full)

[DEBUG] 2024-03-14 09:12:05.449 CerbiShield.Guard — sensitive field detected: "password" — blocked

[INFO] 2024-03-14 09:12:05.991 CerbiStream.Router — throughput: 4,212 events/sec

You pay for every log you ingest.

You are responsible for every log you store.

You rely on logs to debug production.

But you don't control what your applications are logging.

The pipeline is backwards

You can't fix bad logs after they've been ingested.

Today

AppLog emitted

LogsData written

StorageAlready stored

DetectionRisk found

CleanupToo late

Data is already stored.

Risk already exists.

Cost already incurred.

With Cerbi

AppLog emitted

CerbiGoverned at sourceSource control

StorageOnly clean data

DashboardsConsistent + trustworthy

Interactive Demo

See Cerbi in the Log Path

Pick a scenario, configure governance rules, and watch what gets sanitized, blocked, and routed asynchronously — before a single byte reaches your observability platform.

Mode

Rule Set

Redact sensitive fieldsRequire correlationIdBlock forbidden fieldsEmit violation events

Input Log Event

Sensitive Data Leak

{
  "timestamp": "2025-04-12T14:32:11.042Z",
  "level": "Information",
  "message": "Payment processed",
  "correlationId": "ord-8821-xk",
  "userId": "u_4492",
  "ssn": "382-91-0047",
  "cardNumber": "4111-1111-1111-1111",
  "cvv": "392",
  "amount": 149.99,
  "service": "payment-api",
}

Runtime Flow

Application Boundary

Logger

.NET App

Cerbi

Governance

hot path

Sanitized Log

Downstream

Splunk / Datadog

Azure Monitor

Downstream Sanitized Log

// Run example to see output

Governance Result

// Governance score, violations, and async routing appear here

This demo runs entirely in-browser. No log data is transmitted. Behavior reflects Cerbi's in-process governance engine for .NET.

Risk & compliance

Logs are operational risk, not just telemetry.

Sensitive data in logs creates exposure

PHI, PII, credentials, and tokens written to log sinks become a liability the moment they are ingested — regardless of who controls the destination.

Detection after ingestion is too late

Scrubbing sensitive data from Splunk or Datadog after the fact is operationally expensive and may not satisfy auditors. The log is already stored, indexed, and potentially replicated.

Cerbi prevents bad behavior before storage

Governance runs at emission time — before any network call, before any sink, before any pipeline. If a rule is violated, it is blocked or sanitized in-process.

Cerbi does not provide legal or compliance advice. Consult your compliance team for regulatory obligations specific to your industry.

Adoption

Adopt in minutes.

CerbiStream drops into your existing .NET logging setup. No migration. No new infrastructure on the hot path.

Full setup guide

Install from NuGetInstall-Package CerbiStream

Add one line to your logger.UseCerbi(cfg => cfg.LoadProfile("governance.json"))

Store governance profiles as codegovernance.json → committed, versioned, reviewed

Ship — nothing else changesNo agents · No pipeline rewrite · No sink replacement

Why teams adopt Cerbi

Four problems that source-side governance solves.

Prevent data leakage

Stop sensitive data at the source instead of masking later. PHI, PII, tokens, and credentials are blocked before they ever reach a downstream platform.

Improve audit readiness

Logs are compliant by default, not retroactively fixed. Every log event is governed at creation time, giving you a clean, defensible audit trail.

Reduce observability cost

Filter noise before ingestion. Blocking irrelevant events and redundant fields before they leave the application reduces Splunk and Datadog ingestion spend.

Standardize logging behavior

One policy across all services and teams. Required fields are enforced, schema violations are flagged, and logging behavior is consistent across every service.

Understand why bad logging behavior is systemic, and what it costs.

The problems aren't random. Every team runs into the same patterns. See the full picture.

Why Cerbi

Your observability stack assumes your logs are correct.They're not.