Apigee has Edge Gateway components https://docs.apigee.com/private-cloud/v4.51.00/overview#architecturaloverview-apigeeedgegateway

& router is one of the key component which takes care of tls/ssl

FYI:
A Router handles all incoming API traffic from a load balancer, determines the organization and environments for the API proxy that handles the request, balances requests across available Message Processors, and then dispatches the request. The Router terminates the HTTP request, handles the TLS/SSL traffic, and uses the virtual host name, port, and URI to steer requests to the appropriate Message Processor.

If it fails during such scenarios it will be recorded only in  router logs & never forwarded to message processor to view things.

https://docs.apigee.com/api-platform/troubleshoot/runtime/ssl-handshake-failures

FYI:

A Message Processor processes API requests. The Message Processor evaluates an incoming request, executes any Apigee policies, and calls the back-end systems and other systems to retrieve data. Once those responses have been received, the Message Processor formats a response and returns it to the client.

Ref on-prem log path  & enabling logging - you will only do for any troubleshooting only.

/opt/apigee/var/log/edge-router/nginx/

https://docs.apigee.com/api-platform/troubleshoot/debugging/enable-nginx-debug-logs-on-routers

To your question you may see if you enable logs which you will never do unless there is a real need  to troubleshoot the issue for short time..

One way you can do is enable some kind of alerting via logs (based of patterns) - may be lot of alerts if someone uses incorrect certs but there won't be any request logs recorded but in-general you can capture the source ip & other client meta data  for any investigation on who/why there are using incorrect certs & inform them..

good luck.