This page explains how Certificate Manager logs various types of information about its operation and how to view that information.
Logs
To view Certificate Manager logs, use the Logs Explorer in the Google Cloud console.
Certificate Manager provides Google Cloud logs described in Google Cloud logs.
Certificate Manager uses Cloud Logging to capture and
store logs. Certificate Manager logging is always enabled and
only captures a minimal amount of information specifically related to
certificate expiration. The Certificate Manager monitored resource type
is certificatemanager.googleapis.com/Project.
You can also capture and retrieve Certificate Manager logs using Cloud Logging. See the documentation for Cloud Logging client libraries for information on how to configure this logging mechanism.
Configure log alerts
You can configure alerts for events that Certificate Manager writes to Cloud Logging, such as certificate expiration. For instructions, see Configure log-based alerts.
For example, to configure an alert for certificates that have expired, use the following as the alert query:
logName = "projects/PROJECT_ID/logs/certificatemanager.googleapis.com%2Fcertificates_expiry" AND jsonPayload.state = "EXPIRED"
If you want to configure an alert for certificates that are close to expiration, use the following as the alert query:
logName = "projects/PROJECT_ID/logs/certificatemanager.googleapis.com%2Fcertificates_expiry" AND jsonPayload.state = "CLOSE_TO_EXPIRY"
Replace PROJECT_ID with the ID of the target Google Cloud project.
For Google-managed certificates CLOSE_TO_EXPIRY logs are generated daily, starting 5-10 days before
expiration, depending on the certificate's lifetime and renewal process. For self-managed
certificates too, CLOSE_TO_EXPIRY logs are generated daily, starting 10 days before expiration.
Metrics
This section lists the metrics supported by Certificate Manager. To view Certificate Manager metrics, use the Metrics Explorer in the Google Cloud console.
Standard metrics
Certificate Manager writes the following standard Cloud Monitoring API metrics:
| Metric | Description |
|---|---|
serviceruntime.googleapis.com/api/request_count
|
Cumulative count of completed requests. The following labels apply:
|
serviceruntime.googleapis.com/api/request_latencies
|
Distribution of latencies for non-streaming requests. |
serviceruntime.googleapis.com/api/request_sizes
|
Distribution of request sizes. Request size is recorded when a request completes. |
serviceruntime.googleapis.com/api/response_sizes
|
Distribution of response sizes. Response size is recorded when a request completes. |
Custom metrics
Additionally, Certificate Manager writes the following custom metrics using the Cloud Monitoring API:
| Metric | Description |
|---|---|
certificatemanager.googleapis.com/project/certificates
|
Number of certificates provisioned within the target Google Cloud project. The following labels apply:
|
certificatemanager.googleapis.com/map/entries
|
Number of certificate map entries provisioned within the target Google Cloud project. The following labels apply:
|
What's next
- Deploy a Google-managed certificate with DNS authorization (tutorial)
- Deploy a Google-managed certificate with load balancer authorization (tutorial)
- Deploy a Google-managed certificate with CA Service (tutorial)
- Deploy a self-managed certificate (tutorial)
- Migrate a certificate to Certificate Manager
- Manage certificates
- Manage certificate maps
- Manage certificate map entries
- Manage DNS authorizations