CT Log Status¶
Monitoring Module CT Log
The CT Log Status view shows which Certificate Transparency logs NOB.center is configured to watch, whether each log is currently enabled, and whether our processing is lagging behind that log's published head.
This page is mainly useful when you want to understand the freshness of Certificate Transparency monitoring. A lagging log does not usually mean data is lost. It means NOB.center is still processing entries from that log and has not fully caught up to the most recent entries published by the log operator.
What the log types mean¶
CT logs expose certificate entries through one of two API styles:
| Type | Meaning | What to know |
|---|---|---|
rfc6962 |
The classic Certificate Transparency HTTP API defined by RFC 6962. | This is the long-standing CT log interface used by many major log operators. NOB.center reads entries in ranges and advances through the log as new certificates are appended. |
tiled |
The newer Static CT API style, sometimes called a tiled log. | Entries are arranged in tiles that can be fetched and verified efficiently. NOB.center processes these logs with a separate tiled-log tailer, but the resulting certificate matches appear in the same CT monitoring feed. |
Both types serve the same purpose from a monitoring perspective: they publish certificates and precertificates that can match your domain filters. The type only describes how NOB.center reads the log.
Enabled and disabled logs¶
An enabled log is actively tailed by NOB.center. New entries from that log are fetched, parsed, matched against domain filters, and made available to alert rules.
A disabled log is known to NOB.center but not currently processed. Disabled logs are still shown so you can see the full configured set, but they are not part of active monitoring coverage.
Logs are usually disabled because they are operationally unstable or cannot keep up reliably enough with their own head. Common reasons include:
- Frequent timeouts or failed responses
- Rate limits that prevent steady catch-up
- Incomplete or inconsistent responses
- Long periods where the log cannot be tailed fast enough to stay current
When a log is disabled, NOB.center avoids depending on it for timely monitoring. Certificates from the same public issuance event are normally submitted to multiple CT logs, so other enabled logs may still observe the certificate.
What lag means¶
Every CT log has a head, which is the most recent position the log has published. NOB.center tracks how far its own processing position is behind that head.
The Status view intentionally shows only:
- No lag — processing is close enough to the current head for normal operation.
- Lag — processing is behind the head by more than the operational threshold.
It does not show the raw lag count. The count is noisy, varies by log size and publication rate, and is less useful than the operational question: are we meaningfully behind or not?
Why a log might be lagging¶
A lagging log usually means there is a delay between the latest certificates published by that log and the entries NOB.center has finished processing. In normal cases, this is a freshness delay of a few minutes to a few hours.
Lag can happen when:
- A log publishes a large burst of new certificate entries.
- The log operator responds slowly or intermittently.
- The log rate-limits requests.
- NOB.center retries failed batches before moving on.
- The tailer is catching up after a restart or deployment.
For most users, a temporary lag state is informational. It means matches from that specific log may appear later than usual. It does not mean your filters are disabled, and it does not mean matching has stopped across all CT logs.
Note
Certificate Transparency is intentionally redundant. A certificate is commonly submitted to more than one CT log, so a temporary delay on one log does not always delay detection entirely.
How to read the Status view¶
| Field | Meaning |
|---|---|
| Log | The CT log name as published by the log operator or configured by NOB.center. |
| Type | Whether the log is read through the rfc6962 API or the tiled API. |
| Enabled | Whether NOB.center currently processes this log. |
| Lag | Whether this enabled log is behind the operational freshness threshold. |
| Updated | When the status cache was last refreshed. The timestamp is shown in your browser's local timezone. |
Disabled logs may still show in the list because they are part of the known CT log configuration. Treat their disabled state as an operational choice, not as a problem with your organization or filters.
What you should do¶
In most cases, no action is required.
If you see Lag for an enabled log, it usually clears as the tailer catches up. Continue using the Certificate Transparency module normally; matching and alerting continue for other enabled logs.
If several important logs remain lagging for an extended period, NOB.center operators investigate the tailers, upstream CT log behavior, and health metrics. The Status page is designed to expose the high-level freshness state to you.