CerbiStream 1.1.103

.NET 8.0 This package targets .NET 8.0. The package is compatible with this framework or higher. 
dotnet add package CerbiStream --version 1.1.103
                    


                    

                
NuGet\Install-Package CerbiStream -Version 1.1.103
This command is intended to be used within the Package Manager Console in Visual Studio, as it uses the NuGet module's version of Install-Package. 
<PackageReference Include="CerbiStream" Version="1.1.103" />
For projects that support PackageReference, copy this XML node into the project file to reference the package. 
<PackageVersion Include="CerbiStream" Version="1.1.103" />
                    


                            Directory.Packages.props
                        

                    

                
<PackageReference Include="CerbiStream" />
                    


                            Project file
For projects that support Central Package Management (CPM), copy this XML node into the solution Directory.Packages.props file to version the package. 
paket add CerbiStream --version 1.1.103
                    


                    

                
#r "nuget: CerbiStream, 1.1.103"
#r directive can be used in F# Interactive and Polyglot Notebooks. Copy this into the interactive tool or source code of the script to reference the package. 
#:package CerbiStream@1.1.103
#:package directive can be used in C# file-based apps starting in .NET 10 preview 4. Copy this into a .cs file before any lines of code to reference the package. 
#addin nuget:?package=CerbiStream&version=1.1.103
                    


                            Install as a Cake Addin
                        

                    

                
#tool nuget:?package=CerbiStream&version=1.1.103
                    


                            Install as a Cake Tool

CerbiStream v2.0 โ€” Developer-First Logging Governance for .NET

cerbi.io NuGet Downloads

CerbiStream v2.0 is the developer-first governance layer for .NET logging. One line of code gives you PII protection, automatic redaction, and enterprise-grade compliance.

Targets .NET 8.0, .NET 9.0, and .NET 10.0.

// That's it! One line to secure your logs.
builder.Logging.AddCerbiStream();

๐Ÿš€ What's New in v2.0

Developer-First Experience

  • One-line setup โ€” AddCerbiStream() just works with zero configuration
  • Auto-generated governance policy โ€” Sensible PII defaults created automatically
  • Preset modes โ€” EnableDeveloperMode(), ForProduction(), ForTesting(), ForPerformance()

Built-in Sensitive Field Detection (NEW!)

  • 11 high-confidence PII patterns detected automatically โ€” password, secret, apikey, ssn, creditcard, and more
  • Zero-config protection โ€” works even without a governance profile
  • Value from day zero โ€” install, log, and immediately get governance feedback
  • Customer overrides โ€” profile-level settings always take precedence over built-in defaults

Environment Variable Configuration

  • Zero-code deployments โ€” Same code works everywhere, controlled by environment
  • Instant debugging โ€” Enable console output in production without redeploying
  • Kubernetes/Docker native โ€” 20+ environment variables for complete control

Enterprise Features

  • Azure App Insights integration โ€” Built-in telemetry provider
  • Queue scoring โ€” Send governance metadata to queues for analytics
  • Encrypted file fallback โ€” AES-256 encrypted local logs when queues fail
  • Hot-reload governance โ€” Policy changes apply instantly without restart

๐Ÿ”‘ Key Features

๐Ÿ›ก๏ธ Built-in Sensitive Field Detection

CerbiStream automatically detects common sensitive fields in your logs via SensitiveFieldCatalog โ€” no governance profile needed. This provides instant value from the moment you install the package.

11 built-in patterns: password, secret, accesstoken, refreshtoken, authtoken, bearertoken, apikey, connectionstring, privatekey, ssn, creditcard

Field names are normalized (lowercase, strip hyphens/underscores) so AccessToken, access_token, and access-token all match.

// Install CerbiStream โ†’ log with sensitive fields โ†’ get instant governance feedback
builder.Logging.AddCerbiStream();

logger.LogInformation("Login attempt {password} {userId}", "secret123", "u-123");
// โ†’ GovernanceViolation: "password" matched built-in sensitive field pattern
// โ†’ No profile configuration needed!

Profile-level configuration always takes precedence โ€” if your profile explicitly addresses a field, the built-in default is skipped.

Governance rules (runtime enforcement)

  • Validate log payloads against a governance profile (cerbi_governance.json).
  • Tag events with:
    • GovernanceViolations
    • GovernanceProfileVersion
    • GovernanceRelaxed
  • Case-insensitive matching for forbidden/disallowed fields.

Redaction

  • Automatic in-place redaction of:
    • DisallowedFields
    • Fields with severity Forbidden
  • Works on structured payloads so you don't leak values to downstream sinks.

Runtime validation

  • Backed by Cerbi.Governance.Runtime v2.0.23.
  • File watcher for hot-reloading governance profiles when cerbi_governance.json changes.
  • Consistent behavior across CerbiStream, Cerbi.MEL.Governance, and Serilog/MEL plugins.

Analyzer integration

Pair CerbiStream with Cerbi analyzers to catch issues before runtime:

  • Lint for risky fields (e.g., password, ssn, creditCard).
  • Enforce required context and schemas during development.
  • Shift PII problems left into CI and IDEs.

Performance

  • Allocation-aware adapter:
    • Pooled dictionaries for structured state
    • Streaming JSON parsing (Utf8JsonReader) for violation fields
  • Minimal "dev mode" & "benchmark mode" for hot-path tuning.
  • Benchmarks show parity with established loggers on baseline scenarios.
  • Built-in sensitive field catalog uses static readonly arrays โ€” zero allocation after initialization.

Encryption

  • Optional AES/Base64 encryption for file fallback logs.
  • Encrypted file rotation service for:
    • max size
    • max age
  • Centralized encryption mode selection via Cerbi options.

ML-ready metadata

  • Consistent, structured fields:
    • GovernanceViolations
    • GovernanceProfileVersion
    • GovernanceRelaxed
    • Environment/instance tags
  • Makes downstream queries and ML features predictable and repeatable across tools (Loki, Seq, ELK/OpenSearch, Graylog, VictoriaLogs, OpenObserve, etc.).

๐Ÿค” Why CerbiStream vs Serilog / NLog / OpenTelemetry?

CerbiStream is not trying to replace Serilog/NLog/OTEL. It's a governance layer in front of them.

  • Serilog / NLog / log4net

    • Great at structured logging and sink ecosystems.
    • Do not enforce:
      • Required fields
      • Forbidden fields
      • Runtime redaction driven by governance profiles

  • OpenTelemetry (OTEL)

    • Great at telemetry pipelines and exporters (OTLP, OTEL Collector, Prometheus, etc.).
    • Does not enforce policy-based PII rules on application payloads.

CerbiStream complements these:

  • Validates/marks/redacts logs before:
    • Serilog sinks
    • NLog targets
    • OTEL exporters / Collector
    • Loki / Seq / ELK / Graylog / VictoriaLogs / OpenObserve / TelemetryHarbor / Fluentd / Alloy / syslog

Use CerbiStream when:

  • You need .NET logging governance with explicit profiles and enforcement.
  • You must guarantee PII-safe logging before data leaves the process.
  • You want runtime validation plus analyzer-time enforcement.
  • You prefer safe defaults with opt-in relaxation for diagnostics.

๐Ÿงช Demo API for hands-on testing

Want to see CerbiStream governance in action without wiring up your own project? Try the public demo API built for quick evaluation:

  • Repository: Cerbistream.Governance.Demo.API
  • Includes ready-to-run .NET API endpoints that emit governed logs using CerbiStream.
  • Pair it with the demo's cerbi_governance.json to watch runtime validation and redaction behaviors end-to-end.

โšก Quickstart (One Line!)

1) Install

dotnet add package CerbiStream

2) Add to your app

// Program.cs - That's it! One line!
builder.Logging.AddCerbiStream();

Done! You now have:

  • โœ… PII protection (passwords, SSNs, credit cards auto-detected via built-in catalog)
  • โœ… 11 sensitive field patterns active out of the box
  • โœ… Governance policy auto-generated
  • โœ… Console output for development
  • โœ… Auto-detects environment variables for zero-code config changes
  • โœ… Ready for production upgrade

3) Log as usual

// Just use standard ILogger - CerbiStream handles the rest
logger.LogInformation("User signup {email} {ssn}", "a@b.com", "111-11-1111");
// Output: ssn is automatically redacted to "***REDACTED***"

๐ŸŽฏ Configuration Presets

// Development (default) โ€” Console on, queue off, governance on
builder.Logging.AddCerbiStream();

// Production โ€” Full governance, telemetry, queue enabled
builder.Logging.AddCerbiStream(o => o.ForProduction());

// Testing โ€” Governance on, no external dependencies
builder.Logging.AddCerbiStream(o => o.ForTesting());

// Performance โ€” All enrichment disabled for benchmarks
builder.Logging.AddCerbiStream(o => o.ForPerformance());
Preset Console Queue Governance Telemetry
EnableDeveloperMode() โœ… โŒ โœ… โŒ
ForProduction() โŒ โœ… โœ… โœ…
ForTesting() โœ… โŒ โœ… โŒ
ForPerformance() โŒ โŒ โŒ โŒ

๐ŸŒ Environment Variable Configuration

Zero code changes โ€” deploy the same code everywhere, control behavior with environment variables.

Quick Mode Switch

# Linux/Mac
export CERBISTREAM_MODE=production

# Windows PowerShell
$env:CERBISTREAM_MODE = "production"

# Docker
docker run -e CERBISTREAM_MODE=production myapp

# Kubernetes
env:
  - name: CERBISTREAM_MODE
    value: "production"

All Environment Variables

Variable Values Description
CERBISTREAM_MODE development, production, testing, performance Master preset switch
CERBISTREAM_GOVERNANCE_ENABLED true/false Toggle PII redaction
CERBISTREAM_GOVERNANCE_PROFILE Profile name e.g., myapp, default
CERBI_GOVERNANCE_PATH File path Path to governance JSON
CERBISTREAM_QUEUE_ENABLED true/false Toggle queue sending
CERBISTREAM_QUEUE_TYPE AzureServiceBus, RabbitMQ, Kafka, etc. Queue provider
CERBISTREAM_QUEUE_CONNECTION Connection string Queue connection
CERBISTREAM_QUEUE_NAME Queue name Target queue/topic
CERBISTREAM_ENCRYPTION_MODE None, Base64, AES Encryption type
CERBISTREAM_CONSOLE_OUTPUT true/false Console logging
CERBISTREAM_TELEMETRY_ENABLED true/false Telemetry sending
CERBISTREAM_FILE_FALLBACK_ENABLED true/false File fallback

Debug Production Issues Instantly

# Enable console output without redeploying
kubectl set env deployment/myapp CERBISTREAM_CONSOLE_OUTPUT=true

# Disable queue temporarily
kubectl set env deployment/myapp CERBISTREAM_QUEUE_ENABLED=false

Layered Configuration

Environment variables + code config work together:

// Start from environment, then override specific settings
builder.Logging.AddCerbiStream(o => o
    .FromEnvironment()                    // Load from env vars
    .WithGovernanceProfile("override"));  // Code takes precedence

๐Ÿ”ง Advanced Configuration

builder.Logging.AddCerbiStream(options => options
    .ForProduction()
    .WithGovernanceProfile("myservice")
    .WithQueueRetries(true, retryCount: 5, delayMilliseconds: 500)
    .WithFileFallback("logs/fallback.json", "logs/primary.json")
    .WithAesEncryption()
    .WithEncryptionKey(key, iv)
    .WithTelemetryProvider(myTelemetryProvider));

Governance Runtime & Analyzer Compatibility

TFM CerbiStream package Cerbi.Governance.Core Cerbi.Governance.Runtime CerbiStream.GovernanceAnalyzer
net8.0 latest 2.2.29 2.0.23 latest
net9.0 latest 2.2.29 2.0.23 latest
net10.0 latest 2.2.29 2.0.23 latest

All packages now use the canonical Profile model and CerbiShield.Contracts v1.2.1 for consistent governance enforcement across the entire ecosystem.

๐Ÿ” Governance Example: Before vs After

Before (unsafe):

{
  "message": "User signup",
  "email":   "a@b.com",
  "ssn":     "111-11-1111"
}

After (governed by CerbiStream):

{
  "message": "User signup",
  "email": "a@b.com",
  "ssn": "***REDACTED***",
  "GovernanceViolations": [
    { "Code": "ForbiddenField", "Field": "ssn" }
  ],
  "GovernanceProfileVersion": "1.0.0"
}

Opt-in relaxation for intentional diagnostics:

logger.LogInformation("debug payload", new
{
    GovernanceRelaxed = true,
    dump = secretPayload
});

When GovernanceRelaxed = true and your profile allows relax, CerbiStream skips enforcement/redaction for that entry but still tags it as relaxed for downstream scoring and audit.

๐Ÿงพ Governance Profile (Canonical JSON)

{
  "name": "PII Protection",
  "appName": "my-service",
  "version": "1.0.0",
  "status": "Published",
  "metadata": {
    "description": "Prevents PII leakage in application logs",
    "owner": "security-team"
  },
  "requiredFields": ["message", "timestamp"],
  "disallowedFields": ["ssn", "creditCard"],
  "fieldSeverities": {
    "password": "Forbidden",
    "creditCard": "Forbidden"
  },
  "encryption": {
    "mode": "AES",
    "encryptedFields": ["ssn", "email"]
  },
  "allowRelax": false
}

Notes:

  • disallowedFields and any field with severity Forbidden will be redacted.
  • requiredFields are validated and surfaced as violations when missing.
  • Profiles are just JSON โ€“ keep them in Git, and let Cerbi's file watcher hot-reload changes.
  • Built-in sensitive field detection provides a safety net even without a profile.

๐Ÿ“ˆ Performance

CerbiStream includes a Benchmark & Evaluation suite that compares it to:

  • Microsoft.Extensions.Logging (MEL)
  • Serilog
  • NLog
  • log4net

Baseline summary (Release, .NET 8, no-op sinks):

Scenario Relative throughput
Baseline (MEL console) 1.00x
Serilog console 0.95xโ€“1.05x
NLog console 0.90xโ€“1.00x
CerbiStream + console ~0.90xโ€“0.98x

What makes it fast:

  • Allocation-aware adapter with:

    • Pooled Dictionary<string, object>
    • Pooled HashSet<string>

  • Streaming parse of governance metadata via Utf8JsonReader

  • Immediate short-circuit when GovernanceRelaxed is set

  • SensitiveFieldCatalog uses static readonly arrays โ€” zero allocation per-request

Run the repo's benchmarks:

  • Windows: scripts/bench.ps1
  • Linux/macOS: scripts/bench.sh
  • Or directly:
dotnet run --project Cerbi-Benchmark-Tests/Cerbi-Benchmark-Tests.csproj -c Release

For full benchmark commentary, see the CerbiStream Benchmark & Evaluation Suite README in this repo.

๐Ÿ”— Integration Patterns

  • MEL Primary integration via AddCerbiStream / AddCerbiGovernanceRuntime.

  • Serilog Wrap your Serilog-backed ILoggerFactory so Cerbi governance runs before Serilog sinks.

  • NLog / log4net Integrate via MEL or by routing governed events into existing targets.

  • OpenTelemetry Use CerbiStream in the app, then export via OTLP to the OTEL Collector. Logs arrive already governed/redacted.

  • Azure Container Apps (ACA) / Kubernetes CerbiStream is fully compatible with containerized .NET apps:

    • Environment variables: Set CERBI_GOVERNANCE_PATH=/app/config/cerbi_governance.json to override the default location.
    • ConfigMaps / Volumes: Mount your governance profile as a read-only volume; the library's FileSystemWatcher gracefully degrades on read-only mounts, falling back to timestamp-based reload checks.
    • AppContext.BaseDirectory: Falls back to ./cerbi_governance.json next to the app executable when CERBI_GOVERNANCE_PATH is not set.
    • Performance: Pooled dictionaries, HashSets, and streaming JSON parsing ensure minimal allocation overhead at high throughput.
    • Health checks: Use AddCerbiStreamHealthChecks() to expose /cerbistream/health and /cerbistream/metrics endpoints for ACA/K8s probes.

    Example for ACA deployment:

    containers:
  - name: myapp
    image: myregistry.azurecr.io/myapp:latest
    env:
      - name: CERBI_GOVERNANCE_PATH
        value: "/app/config/cerbi_governance.json"
    volumeMounts:
      - name: governance-config
        mountPath: /app/config
        readOnly: true
volumes:
  - name: governance-config
    secret:
      secretName: cerbi-governance

  • Downstream stacks CerbiStream plays nicely with:

    • Grafana Loki / Promtail / Alloy
    • Seq
    • ELK / OpenSearch
    • Graylog
    • VictoriaLogs / VictoriaMetrics
    • OpenObserve
    • TelemetryHarbor
    • Fluentd / Fluent Bit
    • Journald / basic syslog + grep/tail

You don't need a CerbiStream.Fluentd or CerbiStream.Alloy NuGet package. You need: CerbiStream in-process, plus configuration for your collector/exporter to ingest those governed logs.

๐Ÿ“Š CerbiShield Scoring Identity (v1.1)

CerbiStream automatically enriches every ScoringEventDto with identity metadata for end-to-end traceability in CerbiShield dashboards.

Identity Fields

Field Source Purpose
ServiceName CerbiStreamOptions.ServiceName Logical service name
AppVersion EnvironmentDetector.AppVersion (auto) Deployed assembly version
InstanceId EnvironmentDetector.InstanceId (auto) Container/pod instance
DeploymentId DEPLOYMENT_ID env var Release tracking ID
ProfileName Governance profile name Stamped onto every ViolationDto
AppName ServiceName or log data Stamped onto every ViolationDto

All identity fields are set automatically via ScoringEventTransformer.Transform(). Each ViolationDto is stamped with ProfileName and AppName for downstream linkage to the originating app and governance profile.

This is consistent across all Cerbi SDKs (Serilog, NLog, MEL, CerbiStream).

โ“ FAQ

Does this replace Serilog or NLog? No. CerbiStream is a governance layer, not a sink library. Keep Serilog/NLog/OTEL; add CerbiStream to enforce profiles and redaction before events flow into those stacks.

What about performance overhead? CerbiStream is designed to be competitive with top loggers. Baseline cost is close to raw MEL; governance/redaction cost is explicit and measurable in the included benchmarks. The built-in SensitiveFieldCatalog uses static readonly arrays โ€” zero allocation per request.

What happens when governance is disabled or relaxed?

  • When disabled, CerbiStream behaves like a thin pass-through provider.

  • When GovernanceRelaxed = true, enforcement is skipped for that entry:

    • No redaction
    • Event is tagged as relaxed for downstream scoring

Do I need a governance profile to get value? No! CerbiStream's built-in SensitiveFieldCatalog detects 11 common sensitive field patterns (passwords, API keys, SSNs, credit cards, etc.) with zero configuration. Install, log, and immediately get governance feedback. Profiles give you fine-grained control when you're ready.

Can I manage governance profiles centrally? Yes. Profiles can be generated and deployed via CerbiShield (governance dashboard) and consumed by CerbiStream, MEL plugins, and Serilog governance adapters.

โœ… Test Coverage

325 tests passing across:

  • 55 integration tests
  • 270 unit tests (135 ร— 2 frameworks: .NET 8 & .NET 10)

Test categories:

  • Zero-config setup
  • All preset modes
  • Governance redaction
  • Encryption pathways
  • Telemetry integration
  • Environment variable configuration
  • Queue scoring
  • File fallback

๐Ÿ† Trusted By

  • Microsoft Partner (ISV)
  • Harvard Innovation Lab
  • 49.6K+ NuGet downloads

๐Ÿ“š Documentation

๐Ÿ”— Ecosystem

Package Version Purpose
CerbiStream latest Core logging governance with built-in sensitive field detection
Cerbi.Governance.Core 2.2.29 Canonical Profile model, SensitiveFieldCatalog, validation helpers
Cerbi.Governance.Runtime 2.0.23 Runtime validation engine with CompiledProfile and scoring
Cerbi.GovernanceAnalyzer 1.0.0 Roslyn analyzer โ€” 9 compile-time diagnostics (CERBI001-009)
Cerbi.Serilog.GovernanceAnalyzer latest Serilog runtime governance enforcement
Cerbi.MEL.Governance latest MEL runtime governance enforcement
Cerbi.NLog.GovernanceAnalyzer latest NLog runtime governance enforcement
CerbiShield โ€” Enterprise governance dashboard

โœจ Call to Action

  • โญ Star the repo if CerbiStream helps keep your logs safe and compliant.

  • ๐Ÿงช Use it side-by-side with your existing logger to evaluate governance impact.

  • ๐Ÿ’ฌ Open issues for:

    • Additional examples (Fluentd, Alloy, Loki, OTEL Collector configs)
    • Feature requests
    • Benchmark scenarios you care about

๐Ÿ“ž Support

๐Ÿ“„ License

MIT License โ€” see LICENSE for details.

<p align="center"> <b>CerbiStream v2.0</b> โ€” Developer-first logging governance for .NET<br> <a href="https://cerbi.io">cerbi.io</a> | <a href="https://www.nuget.org/packages/CerbiStream">NuGet</a> | <a href="https://github.com/Zeroshi/Cerbi-CerbiStream">GitHub</a> </p>

Product Compatible and additional computed target framework versions.
.NET net8.0 is compatible.  net8.0-android was computed.  net8.0-browser was computed.  net8.0-ios was computed.  net8.0-maccatalyst was computed.  net8.0-macos was computed.  net8.0-tvos was computed.  net8.0-windows was computed.  net9.0 is compatible.  net9.0-android was computed.  net9.0-browser was computed.  net9.0-ios was computed.  net9.0-maccatalyst was computed.  net9.0-macos was computed.  net9.0-tvos was computed.  net9.0-windows was computed.  net10.0 is compatible.  net10.0-android was computed.  net10.0-browser was computed.  net10.0-ios was computed.  net10.0-maccatalyst was computed.  net10.0-macos was computed.  net10.0-tvos was computed.  net10.0-windows was computed. 
Compatible target framework(s)
Included target framework(s) (in package)
Learn more about Target Frameworks and .NET Standard.

NuGet packages

This package is not used by any NuGet packages.

GitHub repositories

This package is not used by any popular GitHub repositories.

Version Downloads Last Updated
1.1.103 33 3/20/2026
1.1.102 91 2/27/2026
1.1.95 102 2/12/2026
1.1.94 102 2/10/2026
1.1.91 101 2/4/2026
1.1.88 108 1/31/2026
1.1.87 109 1/31/2026
1.1.86 162 1/1/2026
1.1.85 114 12/29/2025
1.1.84 101 12/29/2025
1.1.83 135 12/21/2025
1.1.82 1,085 12/19/2025
1.1.80 845 12/3/2025
1.1.79 678 12/3/2025
1.1.78 208 11/25/2025
1.1.77 263 11/22/2025
1.1.76 257 11/22/2025
1.1.75 254 11/22/2025
1.1.74 194 11/15/2025
1.1.73 200 11/15/2025
Loading failed

See docs/RELEASE-NOTES.md