If you want to go that way, you could do it with timestamp.diff:
timestamp.diff ( StartTimeStamp [, Format [, EndTimeStamp ] ] )
Returns the difference (seconds, minutes,hours or days) between the EndTimeStamp ( or now if not provided ) and the StartTimeStamp using the Format specifier (seconds, minutes, hours,day)
However, that would be kind of an awkward solution in my opinion. There's a LUA probe around the community that uses openssl to check certs and alert, and probably QoS too.
If you want to go with logmon, I' d suggest you use the "-checkend <seconds>" argument with openssl, like so:
user@centos:~$ echo | openssl s_client -connect mail.google.com:443 2>/dev/null | openssl x509 -checkend 10000000
Certificate will expire
user@centos:~$ echo $?
1
user@centos:~$ echo | openssl s_client -connect mail.google.com:443 2>/dev/null | openssl x509 -checkend 1000000
Certificate will not expire
user@centos:~$ echo $?
0
As you can see, you can then easily catch either the message, or the exit code with logmon.
-jon