How It Works

Governance at the point of emission.
Not after the fact.

Cerbi intercepts every log event inside your application before it reaches any sink. No pipeline changes. No call-site rewrites. One line of setup.

How It Works

Logging behavior is governed inside your application, before it leaves the application.

Cerbi intercepts every log event between your framework and the underlying provider. No call-site rewrites. No pipeline replacements. No infrastructure changes.

Application

Your .NET service

Log emitted normally via MEL, Serilog, or NLog.

Governance Layer

Cerbi Governance Layer

In-process, no pipeline changes

Logging policy applied at emission time. Sensitive fields blocked. Schema validated. Violations tagged.

Governed Payload

Only clean, compliant data continues

Redacted fields never enter the pipeline.

Your existing destinations

SplunkDatadogAzure MonitorElasticOpenTelemetrySeq

What happens at each stage

Log emitted normally

Your application code calls _logger.LogInformation() or equivalent. No changes needed to existing call sites.

Logging policy applied in-process

CerbiStream intercepts the event inside the logging provider. Rules from your cerbi.json profile are evaluated at emission time.

Sensitive fields blocked before leaving

Fields matching DisallowedFields are blocked. Fields matching MaskFields are partially redacted. Violations are tagged on the event.

Only governed payload continues downstream

The sanitized log event is forwarded to your existing sinks: Splunk, Datadog, or wherever you send logs today.

Program.cs

builder.Logging.AddCerbiStream();

One line of setup. No changes to existing log call sites. No pipeline migration.

Before vs. after governance

Behavior enforcement before it leaves the application.

Logging policy is applied at emission time, not after data reaches your observability platform.

event.log: before governance
Unprotected
Sensitive data exposed
timestamp: "2024-11-14T09:22:11Z"
message: "User login attempt"
correlationId: "a3f7-c21b"
email: "john.doe@corp.com"PII
password: "abc123!"Credential
ssn: "123-45-6789"PHI
event.log: after governance
Governed
Policy enforced
timestamp: "2024-11-14T09:22:11Z"
message: "User login attempt"
correlationId: "a3f7-c21b"
email: "j***.d***@corp.com"Masked
password: "[REDACTED]"Blocked
ssn: "[BLOCKED]"Blocked

GovernanceViolations

ForbiddenField:password
ForbiddenField:ssn
MaskRequired:email

Logging policy is defined in a JSON profile and enforced at runtime. No pipeline changes, no call-site rewrites.

First hour value

What you will see in the first hour

  • Sensitive fields currently being logged
  • Missing required log fields
  • Logs that violate policy rules
  • Real-time governance violations tagged on events
governed-output.json
Policy enforced
{
  "message": "User login",
  "email": "[REDACTED]",
  "governanceViolations": [
    "SensitiveField: email"
  ]
}

Cerbi tags every governed event with the violations it detected and acted on, giving you an immediate, searchable record of what was blocked or masked.

Setup in 4 steps

From zero to governed in minutes.

CerbiStream provides build-time validation and runtime governance for your .NET logging pipeline.

01

Define Your Governance Profile

Create rules for required fields, forbidden patterns, and field severities. Store profiles as code in your repo.

Example governance policy
1{
2  "Version": "1.0.0",
3  "LoggingProfiles": {
4    "production": {
5      "RequiredFields": [
6        "timestamp",
7        "message",
8        "correlationId"
9      ],
10      "DisallowedFields": [
11        "ssn",
12        "creditCard",
13        "password"
14      ],
15      "FieldSeverities": {
16        "password": "Forbidden"
17      }
18    }
19  }
20}
Rule types:

Policies can be enforced during development, CI, staging, or production.

02

Validate at Build Time

The CerbiStream Roslyn analyzer runs during your standard dotnet build, emitting diagnostics for governance violations. Fail fast, fix early.

$ dotnet build

✗ Example governance findings:
  - Missing required field: correlationId
  - Disallowed field detected: password

(Output is representative; actual diagnostics depend
on your governance profile configuration.)
03

Govern at Runtime

One line to add CerbiStream. Use preset modes or 20+ environment variables for zero-code configuration changes in any environment.

// One-line setup
builder.Logging.AddCerbiStream();

// Or use preset modes:
.EnableDeveloperMode()  // Console on, Queue off
.ForProduction()        // Queue on, Telemetry on
.ForTesting()           // Console on, Governance on
.ForPerformance()       // All overhead disabled
04

Monitor & Report

CerbiStream tags events with governance metadata. Forward tags to your observability platform for monitoring, or review through CerbiShield dashboards.

// Example governance tags on log events
profile: production
violations: 0
redactions: 2
traceable: true
severity: Info

Tags can be exported for audit support and
internal policy validation.

Governance controls can help support internal policies and common compliance requirements. However, CerbiStream does not provide legal certification. Always validate configuration against your organization's specific requirements.

Interactive

Try the Developer Playground

Experiment with governance profiles and see validation in action. No setup required.

Sample Log Event
{
  "timestamp": "2024-01-15T10:30:00Z",
  "level": "Information",
  "correlationId": "abc-123-def",
  "message": "Order processed successfully",
  "orderId": "ORD-789",
  "customerId": "USR-456"
}

Governance Profile

Validation Output(simulated)
Click "Run Validation" to see results

Next

See which frameworks, destinations, and packages Cerbi works with today.

MEL, Serilog, NLog. Splunk, Datadog, Azure Monitor, and more. No rip-and-replace.

View Ecosystem