Logs and metrics

This page explains how Certificate Manager logs various types of information about its operation and how to view that information.

Logs

To view Certificate Manager logs, use the Logs Explorer in the Google Cloud console.

Certificate Manager provides Google Cloud logs described in Google Cloud logs.

Certificate Manager uses Cloud Logging to capture and store logs. Certificate Manager logging is always enabled and only captures a minimal amount of information specifically related to certificate expiration. The Certificate Manager monitored resource type is certificatemanager.googleapis.com/Project.

You can also capture and retrieve Certificate Manager logs using Cloud Logging. See the documentation for Cloud Logging client libraries for information on how to configure this logging mechanism.

Configure log alerts

You can configure alerts for events that Certificate Manager writes to Cloud Logging, such as certificate expiration. For instructions, see Configure log-based alerts.

For example, to configure an alert for certificates that have expired, use the following as the alert query:

logName = "projects/PROJECT_ID/logs/certificatemanager.googleapis.com%2Fcertificates_expiry" AND jsonPayload.state = "EXPIRED"

If you want to configure an alert for certificates that are close to expiration, use the following as the alert query:

logName = "projects/PROJECT_ID/logs/certificatemanager.googleapis.com%2Fcertificates_expiry" AND jsonPayload.state = "CLOSE_TO_EXPIRY"

Replace PROJECT_ID with the ID of the target Google Cloud project.

Metrics

This section lists the metrics supported by Certificate Manager. To view Certificate Manager metrics, use the Metrics Explorer in the Google Cloud console.

Standard metrics

Certificate Manager writes the following standard Cloud Monitoring API metrics:

Metric Description
serviceruntime.googleapis.com/api/request_count
  • Kind: Delta
  • Type: INT64
  • Unit: 1
 Cumulative count of completed requests. The following labels apply:
  • protocol indicates the request's protocol, such as http or grpc.
  • response_code is the HTTP (or equivalent for gRPC) response code for HTTP/gRPC requests. See code list.
  • response_code_class is the class (or equivalent for gRPC) of the response code, such as `200` or `400`.
  • grpc_status_code is the gRPC response code or its HTTP equivalent. See code list.
serviceruntime.googleapis.com/api/request_latencies
  • Kind: Delta
  • Type: DISTRIBUTION
  • Unit: Seconds
 Distribution of latencies for non-streaming requests.
serviceruntime.googleapis.com/api/request_sizes
  • Kind: Delta
  • Type: DISTRIBUTION
  • Unit: Byte
 Distribution of request sizes. Request size is recorded when a request completes.
serviceruntime.googleapis.com/api/response_sizes
  • Kind: Delta
  • Type: DISTRIBUTION
  • Unit: Byte
 Distribution of response sizes. Response size is recorded when a request completes.

Custom metrics

Additionally, Certificate Manager writes the following custom metrics using the Cloud Monitoring API:

Metric Description
certificatemanager.googleapis.com/project/certificates
  • Kind: GAUGE
  • Type: INT64
  • Unit: 1
 Number of certificates provisioned within the target Google Cloud project. The following labels apply:
  • type indicates whether the certificate is Google-managed (MANAGED) or self-managed (SELF_MANAGED).
  • scope indicates whether the certificate scope is Cloud Load Balancing (DEFAULT) or Media CDN (EDGE_CACHE).
  • is_active indicates whether the certificate is active. Valid values are true and false.
certificatemanager.googleapis.com/map/entries
  • Kind: GAUGE
  • Type: INT64
  • Unit: 1
 Number of certificate map entries provisioned within the target Google Cloud project. The following labels apply:
  • is_primary indicates whether the certificate map entry is the primary entry in the certificate map. Valid values are true and false.

What's next