This page explains how Certificate Manager logs various types of information about its operation and how to view that information.
Logs
To view Certificate Manager logs, use the Logs Explorer in the Google Cloud console.
Certificate Manager provides Google Cloud logs described in Google Cloud logs .
Certificate Manager uses Cloud Logging to capture and
store logs. Certificate Manager logging is always enabled and
only captures a minimal amount of information specifically related to
certificate expiration. The Certificate Manager monitored resource type
is certificatemanager.googleapis.com/Project
.
You can also capture and retrieve Certificate Manager logs using Cloud Logging. See the documentation for Cloud Logging client libraries for information on how to configure this logging mechanism.
Configure log alerts
You can configure alerts for events that Certificate Manager writes to Cloud Logging, such as certificate expiration. For instructions, see Configure log-based alerts .
For example, to configure an alert for certificates that have expired, use the following as the alert query:
logName = "projects/ PROJECT_ID /logs/certificatemanager.googleapis.com%2Fcertificates_expiry" AND jsonPayload.state = "EXPIRED"
If you want to configure an alert for certificates that are close to expiration, use the following as the alert query:
logName = "projects/ PROJECT_ID /logs/certificatemanager.googleapis.com%2Fcertificates_expiry" AND jsonPayload.state = "CLOSE_TO_EXPIRY"
Replace PROJECT_ID
with the ID of the target Google Cloud project.
For Google-managed certificates CLOSE_TO_EXPIRY
logs are generated daily, starting 5-10 days before
expiration, depending on the certificate's lifetime and renewal process. For self-managed
certificates too, CLOSE_TO_EXPIRY
logs are generated daily, starting 10 days before expiration.
Metrics
This section lists the metrics supported by Certificate Manager. To view Certificate Manager metrics, use the Metrics Explorer in the Google Cloud console.
Standard metrics
Certificate Manager writes the following standard Cloud Monitoring API metrics:
serviceruntime.googleapis.com/api/request_count
- Kind:
Delta - Type:
INT64 - Unit:
1
-
protocolindicates the request's protocol, such ashttporgrpc. -
response_codeis the HTTP (or equivalent for gRPC) response code for HTTP/gRPC requests. See code list . -
response_code_classis the class (or equivalent for gRPC) of the response code, such as `200` or `400`. -
grpc_status_codeis the gRPC response code or its HTTP equivalent. See code list .
serviceruntime.googleapis.com/api/request_latencies
- Kind:
Delta - Type:
DISTRIBUTION - Unit:
Seconds
serviceruntime.googleapis.com/api/request_sizes
- Kind:
Delta - Type:
DISTRIBUTION - Unit:
Byte
serviceruntime.googleapis.com/api/response_sizes
- Kind:
Delta - Type:
DISTRIBUTION - Unit:
Byte
Custom metrics
Additionally, Certificate Manager writes the following custom metrics using the Cloud Monitoring API:
certificatemanager.googleapis.com/project/certificates
- Kind:
GAUGE - Type:
INT64 - Unit:
1
-
typeindicates whether the certificate is Google-managed (MANAGED) or self-managed (SELF_MANAGED). -
scopeindicates whether the certificate scope is Cloud Load Balancing (DEFAULT) or Media CDN (EDGE_CACHE). -
is_activeindicates whether the certificate is active. Valid values aretrueandfalse.
certificatemanager.googleapis.com/map/entries
- Kind:
GAUGE - Type:
INT64 - Unit:
1
-
is_primaryindicates whether the certificate map entry is the primary entry in the certificate map. Valid values aretrueandfalse.
What's next
- Deploy a Google-managed certificate with DNS authorization (tutorial)
- Deploy a Google-managed certificate with load balancer authorization (tutorial)
- Deploy a Google-managed certificate with CA Service (tutorial)
- Deploy a self-managed certificate (tutorial)
- Migrate a certificate to Certificate Manager
- Manage certificates
- Manage certificate maps
- Manage certificate map entries
- Manage DNS authorizations
