CerbiStream: Real-Time Governance-Enforced Logging for .NET

Posted on by No Comments ↓

What if your logs could validate themselves while running — tagging violations without dropping a single event?
CerbiStream brings governance to your logs, adds structure, encrypts them, and routes them securely. All in real-time.

Enterprise-grade logging with structure, encryption, fallback, and real-time governance — built for cloud-native .NET developers.

🧠 Why CerbiStream Exists

As developers, we’ve all experienced logging mistakes:

  • Accidentally logging sensitive data like passwords or emails
  • Forgetting to include userId, requestId, or environment
  • Debugging issues with logs that have no structure, context, or traceability

CerbiStream is designed to help development teams avoid these problems — by baking in runtime validation, fallback safety, and contextual metadata into every log line.

It doesn’t just log your data. It governs it.

✨ What Is CerbiStream?

CerbiStream is a modular logging framework for .NET that helps developers:

  • ✅ Enforce runtime log structure via governance profiles
  • 🔐 Secure logs with AES/Base64 encryption
  • 🚦 Auto-tag logs with metadata and trace info
  • 📂 Fallback to encrypted local files if queues fail
  • 📡 Send to queues, cloud storage, or telemetry in parallel

🚀 Quick Setup

dotnet add package CerbiStream

builder.Logging.AddCerbiStream(options =>
{
    options.WithQueue("RabbitMQ", "localhost", "logs")
           .WithFileFallback("logs/fallback.json")
           .WithEncryptionMode(EncryptionType.AES)
           .WithEncryptionKey(myKey, myIv)
           .WithGovernanceChecks(true)
           .EnableProductionMode();
});

🔐 Real-Time Governance Enforcement

The real-time governance feature rolled out recently with Cerbi.Governance.Runtime — and it’s just the beginning. We’ve built it into CerbiStream to validate logs as they happen, without slowing development workflows or requiring devs to memorize rules.

We’re actively extending this to other ecosystems:

  • 🔜 Cerbi.Serilog.GovernanceAnalyzer
  • 🔜 Cerbi.NLog.GovernanceAnalyzer
  • 🔜 Cerbi.Log4Net.GovernanceAnalyzer

This will bring consistent, policy-driven enforcement across the most popular logging stacks in .NET.

CerbiStream now supports real-time governance enforcement via Cerbi.Governance.Runtime, ensuring that logs are validated against governance profiles at runtime. This removes dependency on build-time analyzers and works seamlessly across environments and dynamic deployment scenarios.

How it works:

  • Profiles define expected fields, severity, and topics.
  • When a log is written, it is evaluated against the profile before being routed.
  • If the log is non-compliant, governance metadata is injected (e.g., GovernanceViolations, GovernanceProfileUsed, etc.).
  • If Relax() is applied, governance is bypassed intentionally but still tagged with "GovernanceRelaxed": true for audit and scoring.

✅ This approach ensures logs aren’t dropped — they are tagged, not blocked, making it easy to score or flag them downstream without causing operational noise or alert spam.

➡️ Future versions will integrate this tagging into CerbiSense for governance scoring and trend analysis across teams and services.

CerbiStream uses JSON-based profiles and applies them at runtime, so developers aren’t locked into compile-time analyzers. 

{
  "EnforcementMode": "Strict",
  "LoggingProfiles": {
    "Orders": {
      "RequireTopic": true,
      "AllowedTopics": ["Orders"],
      "FieldSeverities": {
        "userId": "Required",
        "email": "Required",
        "password": "Forbidden"
      },
      "AllowRelax": true
    }
  }
}

Tag your class with: 

[CerbiTopic("Orders")]
public class OrderService { }

🛄 Example Logs

✅ Compliant Log

logger.LogInformation("Order started", new { userId = "u123", email = "demo@site.com" });

{
  "Message": "Order started",
  "userId": "u123",
  "email": "demo@site.com",
  "GovernanceProfileUsed": "Orders",
  "TimestampUtc": "2025-05-19T10:42:01Z"
}

❌ Violation (Missing Required Fields)

logger.LogWarning("Something went wrong");

{
  "Message": "Something went wrong",
  "GovernanceViolations": ["Missing: userId", "Missing: email"],
  "GovernanceMode": "Strict"
}

🛑 Relaxed Log (Explicit Bypass)

logger.Relax().LogError("Emergency override triggered");

{
  "Message": "Emergency override triggered",
  "GovernanceRelaxed": true,
  "LogLevel": "Error"
}

📂 File Fallback Example

options.WithEncryptedFallback("fallback.json", "primary.json", key, iv);

Logs are written securely: 

[ENCRYPTED] <AES Payload> [/ENCRYPTED]

☁️ Supported Targets

  • 📨 Queues: RabbitMQ, Azure Service Bus, Kafka, AWS SQS, GCP Pub/Sub
  • 🧠 Telemetry: App Insights, OpenTelemetry, Datadog, CloudWatch
  • 📂 Storage: Azure Blob, AWS S3, Google Cloud Storage

🧪 Preset Modes for Easy Setup

options.EnableDevModeMinimal();             // Console only
options.EnableDeveloperModeWithTelemetry(); // Local testing
options.EnableProductionMode();             // Full governance
options.EnableBenchmarkMode();              // Silent for perf tests

📊 Benchmarked vs. Serilog

Feature CerbiStream ✅ Serilog ❌
Real-Time Governance ✅ Yes ❌ No
Full Payload Encryption ✅ Built-in AES ❌ Requires plugins
Fallback Logging ✅ Encrypted 🔸 Limited
Telemetry + Queues ✅ Dual support 🔸 Separate sinks

View benchmarks

🧾 Summary

In this article, we covered:

  • Why log governance is a human problem
  • What CerbiStream does differently
  • How runtime enforcement tags non-compliant logs
  • What compliant, violating, and relaxed log output looks like
  • How fallback, telemetry, and encryption features help build safer systems
  • The roadmap for supporting other loggers

CerbiStream was created to help developers log confidently and securely — without losing productivity. Try it out, enforce your standards, and eliminate log regret.

🔗 Try It Out

📦 NuGet Packages

CerbiStream is open source and evolving fast. Let us know your use case or suggest a feature!
Happy logging 🙌

Leave a Reply